From: Daniel Mack <daniel@caiaq.de>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: David Miller <davem@davemloft.net>,
linux-kernel@vger.kernel.org, dcbw@redhat.com,
m.hirsch@raumfeld.com, netdev@vger.kernel.org,
libertas-dev@lists.infradead.org, stable@kernel.org,
linux-wireless@vger.kernel.org
Subject: Re: [PATCH] wireless: wext: allocate space for NULL-termination for 32byte SSIDs
Date: Wed, 16 Dec 2009 11:58:44 +0800 [thread overview]
Message-ID: <20091216035844.GN28375@buzzloop.caiaq.de> (raw)
In-Reply-To: <1260871411.3692.4.camel@johannes.local>
On Tue, Dec 15, 2009 at 11:03:31AM +0100, Johannes Berg wrote:
>
> > > - /* kzalloc() ensures NULL-termination for essid_compat. */
> > > - extra = kzalloc(extra_size, GFP_KERNEL);
> > > + /* kzalloc() +1 ensures NULL-termination for essid_compat. */
> > > + extra = kzalloc(extra_size + 1, GFP_KERNEL);
>
> That doesn't seem correct.
>
> If this is used in a SET, then it is purely an in-kernel thing and
> everything in the kernel is passed the length + data, and the kernel
> MUST NEVER treat the SSID as a NUL-terminated string.
>
> If this is used in a GET, then it will be filled up to 32 bytes by the
> get handler, and the trailing \0 your patch reserves will never be
> copied into userspace.
The problem is the GET case. The libertas driver copies ssid_len
characters here and appends a trailing \0, which my patch caught now and
which caused memory corruption in before.
>From what I've seen, libertas _does_ treat the extra data correctly
at all places, I checked it several times now. (Btw, the %s format
string you pointed out all use print_ssid() to properly escape all
non-printable characters, so they're rules out, too).
I'll send a patch to fix the flaw in libertas.
Thanks,
Daniel
next prev parent reply other threads:[~2009-12-16 3:58 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-12 20:47 [PATCH] wireless: wext: allocate space for NULL-termination for 32byte SSIDs Daniel Mack
2009-12-15 9:43 ` David Miller
2009-12-15 10:03 ` Johannes Berg
2009-12-15 10:05 ` Johannes Berg
2009-12-15 10:07 ` Johannes Berg
2009-12-15 10:20 ` Daniel Mack
2009-12-15 10:20 ` Daniel Mack
2009-12-15 10:31 ` Johannes Berg
2009-12-15 10:31 ` Johannes Berg
2009-12-15 10:37 ` Daniel Mack
2009-12-15 10:30 ` Holger Schurig
2009-12-15 10:30 ` Holger Schurig
2009-12-15 10:35 ` Johannes Berg
2009-12-15 10:35 ` Johannes Berg
2009-12-16 6:54 ` Albert Cahalan
2009-12-16 6:54 ` Albert Cahalan
2009-12-16 8:19 ` Johannes Berg
2009-12-16 8:26 ` Holger Schurig
2009-12-16 3:58 ` Daniel Mack [this message]
2009-12-16 8:20 ` Johannes Berg
2009-12-15 10:16 ` Albert Cahalan
2009-12-15 10:16 ` Albert Cahalan
2009-12-15 16:29 ` Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091216035844.GN28375@buzzloop.caiaq.de \
--to=daniel@caiaq.de \
--cc=davem@davemloft.net \
--cc=dcbw@redhat.com \
--cc=johannes@sipsolutions.net \
--cc=libertas-dev@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=m.hirsch@raumfeld.com \
--cc=netdev@vger.kernel.org \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.