On Sat, 2009-04-25 at 22:36 +0200, Michael Buesch wrote: > I don't fully understand the code, but let's imagine the following situation: > > - cfg80211_bss_update was called and the ie was stored to allocated space. > - The information_elements pointer is changed to the allocated space. > - cfg80211_bss_update is called again, but now the ie fits into the > space after the "found" structure. > - But the information_elements pointer still points to the allocated space. > So it may overrun the buffer and crash. > > Is this scenario possible? > If yes, please consider the following patch. Yeah, looks like a bug, good catch. I don't think the fix is correct though -- you lose the data in this case. I think it should simply be: > size_t ielen = res->pub.len_information_elements; > > - if (ksize(found) >= used + ielen) { > + if (!found->ies_allocated && ksize(found) >= used + ielen) { > memcpy(found->pub.information_elements, > res->pub.information_elements, ielen); > found->pub.len_information_elements = ielen; > so that the else branch gets a chance to reallocate if necessary, would you agree? johannes
Attachment:
signature.asc
Description: This is a digitally signed message part