On Wed, 2008-10-29 at 11:43 +0100, Johannes Berg wrote:
> If somebody sends an invalid beacon/probe response, that can trash the
> whole BSS descriptor. The descriptor is, luckily, large enough so that
> it cannot scribble past the end of it; it's well above 400 bytes long.
>
> Signed-off-by: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
> Cc: stable@xxxxxxxxxx [2.6.24-2.6.27, bug present in some form since driver was added (2.6.22)]
Acked-by: Dan Williams <dcbw@xxxxxxxxxx>
> ---
> Not really tested for lack of hw.
>
> John, this is part of the other patch I sent, but this one's
> for 2.6.28.
>
> The function there needs to be reviewed more, it seems to access
> potentially invalid memory when an AP sends other, too short,
> information elements.
>
> --- a/drivers/net/wireless/libertas/scan.c
> +++ b/drivers/net/wireless/libertas/scan.c
> @@ -598,8 +598,8 @@ static int lbs_process_bss(struct bss_descriptor *bss,
>
> switch (elem->id) {
> case MFIE_TYPE_SSID:
> - bss->ssid_len = elem->len;
> - memcpy(bss->ssid, elem->data, elem->len);
> + bss->ssid_len = min_t(int, 32, elem->len);
> + memcpy(bss->ssid, elem->data, bss->ssid_len);
> lbs_deb_scan("got SSID IE: '%s', len %u\n",
> escape_essid(bss->ssid, bss->ssid_len),
> bss->ssid_len);
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
