[PATCH] b43: Fix tim search buffer overrun

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Michael Buesch <mb@bu3sch.de>
To: John Linville <linville@tuxdriver.com>
Cc: bcm43xx-dev@lists.berlios.de, linux-wireless@vger.kernel.org,
	Johannes Berg <johannes@sipsolutions.net>,
	Stefano Brivio <stefano.brivio@polimi.it>
Subject: [PATCH] b43: Fix tim search buffer overrun
Date: Thu, 27 Dec 2007 22:15:11 +0100	[thread overview]
Message-ID: <200712272215.12056.mb@bu3sch.de> (raw)

Use the length of the variable section of the beacon instead of the
whole beacon length for bounds checking.

Signed-off-by: Michael Buesch <mb@bu3sch.de>

Index: wireless-2.6/drivers/net/wireless/b43/main.c
===================================================================
--- wireless-2.6.orig/drivers/net/wireless/b43/main.c	2007-12-26 18:20:38.000000000 +0100
+++ wireless-2.6/drivers/net/wireless/b43/main.c	2007-12-27 22:05:07.000000000 +0100
@@ -1161,7 +1161,7 @@ static void b43_write_beacon_template(st
 				      u16 ram_offset,
 				      u16 shm_size_offset, u8 rate)
 {
-	int i, len;
+	unsigned int i, len, variable_len;
 	const struct ieee80211_mgmt *bcn;
 	const u8 *ie;
 	bool tim_found = 0;
@@ -1176,7 +1176,8 @@ static void b43_write_beacon_template(st
 	/* Find the position of the TIM and the DTIM_period value
 	 * and write them to SHM. */
 	ie = bcn->u.beacon.variable;
-	for (i = 0; i < len - 2; ) {
+	variable_len = len - offsetof(struct ieee80211_mgmt, u.beacon.variable);
+	for (i = 0; i < variable_len - 2; ) {
 		uint8_t ie_id, ie_len;
 
 		ie_id = ie[i];
@@ -1187,7 +1188,7 @@ static void b43_write_beacon_template(st
 			/* This is the TIM Information Element */
 
 			/* Check whether the ie_len is in the beacon data range. */
-			if (len < ie_len + 2 + i)
+			if (variable_len < ie_len + 2 + i)
 				break;
 			/* A valid TIM is at least 4 bytes long. */
 			if (ie_len < 4)

                 reply	other threads:[~2007-12-27 21:16 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200712272215.12056.mb@bu3sch.de \
    --to=mb@bu3sch.de \
    --cc=bcm43xx-dev@lists.berlios.de \
    --cc=johannes@sipsolutions.net \
    --cc=linux-wireless@vger.kernel.org \
    --cc=linville@tuxdriver.com \
    --cc=stefano.brivio@polimi.it \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.