From: Dan Aloni <dan@aloni.org>
To: Linux Kernel List <linux-kernel@vger.kernel.org>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Subject: [PATCH] Staging: prevent rtl8187se from crashing dev_ioctl() in SIOCGIWNAME
Date: Sat, 20 Jun 2009 16:32:22 +0300 [thread overview]
Message-ID: <20090620133222.GA18731@localhost> (raw)
I repeatedly get __stack_chk_fail panic()s with this driver before
applying the attached fix.
ieee80211_wx_get_name() ignores sizeof(wrqu->name) which is IFNAMSIZ (16), and
on certain conditions, the concatenated string will be larger than IFNAMSIZ
including the terminating zero.
length ("802.11" ++ "b" ++ "/g" ++ " linked" ++ "\x00") == 17
This fix uses strl{cpy,cat} in addition to the reduction of the total
possible length of the output string by a char.
It can be applied to 2.6.30-stable as well.
Signed-off-by: Dan Aloni <dan@aloni.org>
---
.../rtl8187se/ieee80211/ieee80211_softmac_wx.c | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/staging/rtl8187se/ieee80211/ieee80211_softmac_wx.c b/drivers/staging/rtl8187se/ieee80211/ieee80211_softmac_wx.c
index 93af37e..54b4b71 100644
--- a/drivers/staging/rtl8187se/ieee80211/ieee80211_softmac_wx.c
+++ b/drivers/staging/rtl8187se/ieee80211/ieee80211_softmac_wx.c
@@ -461,19 +461,19 @@ int ieee80211_wx_get_name(struct ieee80211_device *ieee,
struct iw_request_info *info,
union iwreq_data *wrqu, char *extra)
{
- strcpy(wrqu->name, "802.11");
+ strlcpy(wrqu->name, "802.11", IFNAMSIZ);
if(ieee->modulation & IEEE80211_CCK_MODULATION){
- strcat(wrqu->name, "b");
+ strlcat(wrqu->name, "b", IFNAMSIZ);
if(ieee->modulation & IEEE80211_OFDM_MODULATION)
- strcat(wrqu->name, "/g");
+ strlcat(wrqu->name, "/g", IFNAMSIZ);
}else if(ieee->modulation & IEEE80211_OFDM_MODULATION)
- strcat(wrqu->name, "g");
+ strlcat(wrqu->name, "g", IFNAMSIZ);
if((ieee->state == IEEE80211_LINKED) ||
(ieee->state == IEEE80211_LINKED_SCANNING))
- strcat(wrqu->name," linked");
+ strlcat(wrqu->name," link", IFNAMSIZ);
else if(ieee->state != IEEE80211_NOLINK)
- strcat(wrqu->name," link..");
+ strlcat(wrqu->name," .....", IFNAMSIZ);
return 0;
--
1.6.0.4
next reply other threads:[~2009-06-20 13:39 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-20 13:32 Dan Aloni [this message]
2009-06-20 20:51 ` [PATCH] Staging: prevent rtl8187se from crashing dev_ioctl() in SIOCGIWNAME Bartlomiej Zolnierkiewicz
2009-06-24 19:34 ` [PATCH] prevent rtl8192su from crashing dev_ioctl " Dan Aloni
2009-06-25 14:34 ` Bartlomiej Zolnierkiewicz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090620133222.GA18731@localhost \
--to=dan@aloni.org \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.