On Tue, Dec 15, 2009 at 11:03:31AM +0100, Johannes Berg wrote: > > > > - /* kzalloc() ensures NULL-termination for essid_compat. */ > > > - extra = kzalloc(extra_size, GFP_KERNEL); > > > + /* kzalloc() +1 ensures NULL-termination for essid_compat. */ > > > + extra = kzalloc(extra_size + 1, GFP_KERNEL); > > That doesn't seem correct. > > If this is used in a SET, then it is purely an in-kernel thing and > everything in the kernel is passed the length + data, and the kernel > MUST NEVER treat the SSID as a NUL-terminated string. > > If this is used in a GET, then it will be filled up to 32 bytes by the > get handler, and the trailing \0 your patch reserves will never be > copied into userspace. The problem is the GET case. The libertas driver copies ssid_len characters here and appends a trailing \0, which my patch caught now and which caused memory corruption in before. >From what I've seen, libertas _does_ treat the extra data correctly at all places, I checked it several times now. (Btw, the %s format string you pointed out all use print_ssid() to properly escape all non-printable characters, so they're rules out, too). I'll send a patch to fix the flaw in libertas. Thanks, Daniel -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
