From: Daniel Mack <daniel@xxxxxxxx> Date: Sun, 13 Dec 2009 04:47:30 +0800 > We've experienced a long standing bug when quickly switching from > ad-hoc to managed mode on a hardware using a Libertas chipset. Can you please CC: linux-wireless for wireless patches? Thanks. > The effect is that after a number of mode transistions (sometimes as few > as two sufficed), the kernel will oops at very strange locations, mostly > in something like __kmem_alloc(). > > While the root cause turned out to be an issue with the wpa-supplicant > which feeds the kernel driver with garbage, this occasion pointed out a > bug in the wireless wext core when SSIDs with 32 byte lengths are passed > from userspace. In this case, the string is not properly NULL-terminated > which causes some other part to corrupt memory. > > (In the particular case I observed, an SIOCSIWESSID was issued with > bogus data in iwp->pointer but iwp->length=32). > > I admitedly couldn't find where the actual corruption itself happens, > but with this trivial fix, I can't reproduce the bug anymore. > > Signed-off-by: Daniel Mack <daniel@xxxxxxxx> > Cc: Dan Williams <dcbw@xxxxxxxxxx> > Cc: Michael Hirsch <m.hirsch@xxxxxxxxxxxx> > Cc: netdev@xxxxxxxxxxxxxxx > Cc: libertas-dev@xxxxxxxxxxxxxxxxxxx > Cc: stable@xxxxxxxxxx > --- > net/wireless/wext.c | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > --- > net/wireless/wext-core.c | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c > index 5e1656b..3d8f4b0 100644 > --- a/net/wireless/wext-core.c > +++ b/net/wireless/wext-core.c > @@ -759,8 +759,8 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, > } > } > > - /* kzalloc() ensures NULL-termination for essid_compat. */ > - extra = kzalloc(extra_size, GFP_KERNEL); > + /* kzalloc() +1 ensures NULL-termination for essid_compat. */ > + extra = kzalloc(extra_size + 1, GFP_KERNEL); > if (!extra) > return -ENOMEM; > > -- > 1.6.3.3 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
