On Tue, 2011-06-07 at 20:42 +0300, Luciano Coelho wrote: > When one of the SSID's length passed in a scan or sched_scan request > is larger than 255, there will be an overflow in the u8 that is used > to store the length before checking. This causes the check to fail > and we overrun the buffer when copying the SSID. > > Fix this by checking the nl80211 attribute length before copying it to > the struct. > > This is a follow up for the previous commit > 208c72f4fe44fe09577e7975ba0e7fa0278f3d03, which didn't fix the problem > entirely. > > Reported-by: Ido Yariv <ido@xxxxxxxxxx> > Signed-off-by: Luciano Coelho <coelho@xxxxxx> > --- This should also go to stable, but since it won't apply directly there, I'll wait till it's applied upstream and then backport it to stable kernels. -- Cheers, Luca. -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
