[patch] staging: r8188eu: memory corruption handling long ssids

All of lore.kernel.org
 help / color / mirror / Atom feed

* [patch] staging: r8188eu: memory corruption handling long ssids
@ 2014-02-06 20:42 Dan Carpenter
  2014-02-07  2:49 ` Larry Finger
  0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2014-02-06 20:42 UTC (permalink / raw)
  To: kernel-janitors

We should cap the SSID length at NDIS_802_11_LENGTH_SSID (32) characters
to avoid memory corruption.  If the SSID is too long then I have opted
to ignore it instead of truncating it.

We don't need to clear bssid->Ssid.Ssid[0] because this struct is
allocated with rtw_zmalloc()

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/staging/rtl8188eu/core/rtw_wlan_util.c b/drivers/staging/rtl8188eu/core/rtw_wlan_util.c
index 153ec61493ab..96df62f95b6b 100644
--- a/drivers/staging/rtl8188eu/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8188eu/core/rtw_wlan_util.c
@@ -912,12 +912,12 @@ int rtw_check_bcn_info(struct adapter  *Adapter, u8 *pframe, u32 packet_len)
 	unsigned char *pbuf;
 	u32 wpa_ielen = 0;
 	u8 *pbssid = GetAddr3Ptr(pframe);
-	u32 hidden_ssid = 0;
 	struct HT_info_element *pht_info = NULL;
 	struct rtw_ieee80211_ht_cap *pht_cap = NULL;
 	u32 bcn_channel;
 	unsigned short	ht_cap_info;
 	unsigned char	ht_info_infos_0;
+	int ssid_len;
 
 	if (is_client_associated_to_ap(Adapter) = false)
 		return true;
@@ -999,21 +999,15 @@ int rtw_check_bcn_info(struct adapter  *Adapter, u8 *pframe, u32 packet_len)
 	}
 
 	/* checking SSID */
+	ssid_len = 0;
 	p = rtw_get_ie(bssid->IEs + _FIXED_IE_LENGTH_, _SSID_IE_, &len, bssid->IELength - _FIXED_IE_LENGTH_);
-	if (p = NULL) {
-		DBG_88E("%s marc: cannot find SSID for survey event\n", __func__);
-		hidden_ssid = true;
-	} else {
-		hidden_ssid = false;
-	}
-
-	if ((NULL != p) && (false = hidden_ssid && (*(p + 1)))) {
-		memcpy(bssid->Ssid.Ssid, (p + 2), *(p + 1));
-		bssid->Ssid.SsidLength = *(p + 1);
-	} else {
-		bssid->Ssid.SsidLength = 0;
-		bssid->Ssid.Ssid[0] = '\0';
+	if (p) {
+		ssid_len = *(p + 1);
+		if (ssid_len > NDIS_802_11_LENGTH_SSID)
+			ssid_len = 0;
 	}
+	memcpy(bssid->Ssid.Ssid, (p + 2), ssid_len);
+	bssid->Ssid.SsidLength = ssid_len;
 
 	RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("%s bssid.Ssid.Ssid:%s bssid.Ssid.SsidLength:%d "
 				"cur_network->network.Ssid.Ssid:%s len:%d\n", __func__, bssid->Ssid.Ssid,

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [patch] staging: r8188eu: memory corruption handling long ssids
  2014-02-06 20:42 [patch] staging: r8188eu: memory corruption handling long ssids Dan Carpenter
@ 2014-02-07  2:49 ` Larry Finger
  0 siblings, 0 replies; 2+ messages in thread
From: Larry Finger @ 2014-02-07  2:49 UTC (permalink / raw)
  To: kernel-janitors

On 02/06/2014 02:42 PM, Dan Carpenter wrote:
> We should cap the SSID length at NDIS_802_11_LENGTH_SSID (32) characters
> to avoid memory corruption.  If the SSID is too long then I have opted
> to ignore it instead of truncating it.
>
> We don't need to clear bssid->Ssid.Ssid[0] because this struct is
> allocated with rtw_zmalloc()
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Acked-by: Larry Finger <Larry.Finger@lwfinger.net>

Larry

>
> diff --git a/drivers/staging/rtl8188eu/core/rtw_wlan_util.c b/drivers/staging/rtl8188eu/core/rtw_wlan_util.c
> index 153ec61493ab..96df62f95b6b 100644
> --- a/drivers/staging/rtl8188eu/core/rtw_wlan_util.c
> +++ b/drivers/staging/rtl8188eu/core/rtw_wlan_util.c
> @@ -912,12 +912,12 @@ int rtw_check_bcn_info(struct adapter  *Adapter, u8 *pframe, u32 packet_len)
>   	unsigned char *pbuf;
>   	u32 wpa_ielen = 0;
>   	u8 *pbssid = GetAddr3Ptr(pframe);
> -	u32 hidden_ssid = 0;
>   	struct HT_info_element *pht_info = NULL;
>   	struct rtw_ieee80211_ht_cap *pht_cap = NULL;
>   	u32 bcn_channel;
>   	unsigned short	ht_cap_info;
>   	unsigned char	ht_info_infos_0;
> +	int ssid_len;
>
>   	if (is_client_associated_to_ap(Adapter) = false)
>   		return true;
> @@ -999,21 +999,15 @@ int rtw_check_bcn_info(struct adapter  *Adapter, u8 *pframe, u32 packet_len)
>   	}
>
>   	/* checking SSID */
> +	ssid_len = 0;
>   	p = rtw_get_ie(bssid->IEs + _FIXED_IE_LENGTH_, _SSID_IE_, &len, bssid->IELength - _FIXED_IE_LENGTH_);
> -	if (p = NULL) {
> -		DBG_88E("%s marc: cannot find SSID for survey event\n", __func__);
> -		hidden_ssid = true;
> -	} else {
> -		hidden_ssid = false;
> -	}
> -
> -	if ((NULL != p) && (false = hidden_ssid && (*(p + 1)))) {
> -		memcpy(bssid->Ssid.Ssid, (p + 2), *(p + 1));
> -		bssid->Ssid.SsidLength = *(p + 1);
> -	} else {
> -		bssid->Ssid.SsidLength = 0;
> -		bssid->Ssid.Ssid[0] = '\0';
> +	if (p) {
> +		ssid_len = *(p + 1);
> +		if (ssid_len > NDIS_802_11_LENGTH_SSID)
> +			ssid_len = 0;
>   	}
> +	memcpy(bssid->Ssid.Ssid, (p + 2), ssid_len);
> +	bssid->Ssid.SsidLength = ssid_len;
>
>   	RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("%s bssid.Ssid.Ssid:%s bssid.Ssid.SsidLength:%d "
>   				"cur_network->network.Ssid.Ssid:%s len:%d\n", __func__, bssid->Ssid.Ssid,
>


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-02-07  2:49 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-06 20:42 [patch] staging: r8188eu: memory corruption handling long ssids Dan Carpenter
2014-02-07  2:49 ` Larry Finger

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.