* Re: [PATCH] Libertas: fix buffer overflow in lbs_get_essid() [not found] <1260936778-2096-1-git-send-email-daniel@caiaq.de> @ 2009-12-16 4:18 ` Daniel Mack [not found] ` <1260982667.2179.9.camel@localhost.localdomain> 1 sibling, 0 replies; 4+ messages in thread From: Daniel Mack @ 2009-12-16 4:18 UTC (permalink / raw) To: linux-kernel Cc: Dan Williams, Holger Schurig, John W. Linville, Stephen Hemminger, Maithili Hinge, Kiran Divekar, Michael Hirsch, netdev, libertas-dev, linux-wireless, stable (Sorry, had a typo in the linux-wireless list address, corrected now). On Wed, Dec 16, 2009 at 05:12:58AM +0100, Daniel Mack wrote: > > The libertas driver copies the SSID buffer back to the wireless core and > appends a trailing NULL character for termination. This is > > a) unnecessary because the buffer is allocated with kzalloc and is hence > already NULLed when this function is called, and > > b) for priv->curbssparams.ssid_len == 32, it writes back one byte too > much which causes memory corruptions. > > Fix this by removing the extra write. > > Signed-off-by: Daniel Mack <daniel@caiaq.de> > Cc: Dan Williams <dcbw@redhat.com> > Cc: Holger Schurig <holgerschurig@gmail.com> > Cc: John W. Linville <linville@tuxdriver.com> > Cc: Stephen Hemminger <shemminger@vyatta.com> > Cc: Maithili Hinge <maithili@marvell.com> > Cc: Kiran Divekar <dkiran@marvell.com> > Cc: Michael Hirsch <m.hirsch@raumfeld.com> > Cc: netdev@vger.kernel.org > Cc: libertas-dev@lists.infradead.org > Cc: linux-wireless@lists.infradead.org > Cc: stable@kernel.org > --- > drivers/net/wireless/libertas/wext.c | 2 -- > 1 files changed, 0 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/wireless/libertas/wext.c b/drivers/net/wireless/libertas/wext.c > index be837a0..01c738b 100644 > --- a/drivers/net/wireless/libertas/wext.c > +++ b/drivers/net/wireless/libertas/wext.c > @@ -1953,10 +1953,8 @@ static int lbs_get_essid(struct net_device *dev, struct iw_request_info *info, > if (priv->connect_status == LBS_CONNECTED) { > memcpy(extra, priv->curbssparams.ssid, > priv->curbssparams.ssid_len); > - extra[priv->curbssparams.ssid_len] = '\0'; > } else { > memset(extra, 0, 32); > - extra[priv->curbssparams.ssid_len] = '\0'; > } > /* > * If none, we may want to get the one that was set > -- > 1.6.3.3 > ^ permalink raw reply [flat|nested] 4+ messages in thread
[parent not found: <1260982667.2179.9.camel@localhost.localdomain>]
* Re: [PATCH] Libertas: fix buffer overflow in lbs_get_essid() [not found] ` <1260982667.2179.9.camel@localhost.localdomain> @ 2009-12-16 23:15 ` Daniel Mack 2009-12-17 1:01 ` John W. Linville 0 siblings, 1 reply; 4+ messages in thread From: Daniel Mack @ 2009-12-16 23:15 UTC (permalink / raw) To: Dan Williams Cc: linux-kernel, Holger Schurig, John W. Linville, Stephen Hemminger, Maithili Hinge, Kiran Divekar, Michael Hirsch, netdev, libertas-dev, linux-wireless, stable On Wed, Dec 16, 2009 at 08:57:47AM -0800, Dan Williams wrote: > On Wed, 2009-12-16 at 05:12 +0100, Daniel Mack wrote: > > The libertas driver copies the SSID buffer back to the wireless core and > > appends a trailing NULL character for termination. This is > > > > a) unnecessary because the buffer is allocated with kzalloc and is hence > > already NULLed when this function is called, and > > > > b) for priv->curbssparams.ssid_len == 32, it writes back one byte too > > much which causes memory corruptions. > > > > Fix this by removing the extra write. > > Acked-by: Dan Williams <dcbw@redhat.com> Thanks, everyone. Who will care to pick an queue this one? Daniel > > Signed-off-by: Daniel Mack <daniel@caiaq.de> > > Cc: Dan Williams <dcbw@redhat.com> > > Cc: Holger Schurig <holgerschurig@gmail.com> > > Cc: John W. Linville <linville@tuxdriver.com> > > Cc: Stephen Hemminger <shemminger@vyatta.com> > > Cc: Maithili Hinge <maithili@marvell.com> > > Cc: Kiran Divekar <dkiran@marvell.com> > > Cc: Michael Hirsch <m.hirsch@raumfeld.com> > > Cc: netdev@vger.kernel.org > > Cc: libertas-dev@lists.infradead.org > > Cc: linux-wireless@lists.infradead.org > > Cc: stable@kernel.org > > --- > > drivers/net/wireless/libertas/wext.c | 2 -- > > 1 files changed, 0 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/net/wireless/libertas/wext.c b/drivers/net/wireless/libertas/wext.c > > index be837a0..01c738b 100644 > > --- a/drivers/net/wireless/libertas/wext.c > > +++ b/drivers/net/wireless/libertas/wext.c > > @@ -1953,10 +1953,8 @@ static int lbs_get_essid(struct net_device *dev, struct iw_request_info *info, > > if (priv->connect_status == LBS_CONNECTED) { > > memcpy(extra, priv->curbssparams.ssid, > > priv->curbssparams.ssid_len); > > - extra[priv->curbssparams.ssid_len] = '\0'; > > } else { > > memset(extra, 0, 32); > > - extra[priv->curbssparams.ssid_len] = '\0'; > > } > > /* > > * If none, we may want to get the one that was set > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] Libertas: fix buffer overflow in lbs_get_essid() 2009-12-16 23:15 ` Daniel Mack @ 2009-12-17 1:01 ` John W. Linville 2009-12-17 1:19 ` Dan Williams 0 siblings, 1 reply; 4+ messages in thread From: John W. Linville @ 2009-12-17 1:01 UTC (permalink / raw) To: Daniel Mack Cc: Dan Williams, linux-kernel, Holger Schurig, Stephen Hemminger, Maithili Hinge, Kiran Divekar, Michael Hirsch, netdev, libertas-dev, linux-wireless, stable On Thu, Dec 17, 2009 at 07:15:08AM +0800, Daniel Mack wrote: > On Wed, Dec 16, 2009 at 08:57:47AM -0800, Dan Williams wrote: > > On Wed, 2009-12-16 at 05:12 +0100, Daniel Mack wrote: > > > The libertas driver copies the SSID buffer back to the wireless core and > > > appends a trailing NULL character for termination. This is > > > > > > a) unnecessary because the buffer is allocated with kzalloc and is hence > > > already NULLed when this function is called, and > > > > > > b) for priv->curbssparams.ssid_len == 32, it writes back one byte too > > > much which causes memory corruptions. > > > > > > Fix this by removing the extra write. > > > > Acked-by: Dan Williams <dcbw@redhat.com> > > Thanks, everyone. Who will care to pick an queue this one? Is there some reason it wouldn't be me? John -- John W. Linville Someday the world will need a hero, and you linville@tuxdriver.com might be all we have. Be ready. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] Libertas: fix buffer overflow in lbs_get_essid() 2009-12-17 1:01 ` John W. Linville @ 2009-12-17 1:19 ` Dan Williams 0 siblings, 0 replies; 4+ messages in thread From: Dan Williams @ 2009-12-17 1:19 UTC (permalink / raw) To: John W. Linville Cc: Daniel Mack, linux-kernel, Holger Schurig, Stephen Hemminger, Maithili Hinge, Kiran Divekar, Michael Hirsch, netdev, libertas-dev, linux-wireless, stable On Wed, 2009-12-16 at 20:01 -0500, John W. Linville wrote: > On Thu, Dec 17, 2009 at 07:15:08AM +0800, Daniel Mack wrote: > > On Wed, Dec 16, 2009 at 08:57:47AM -0800, Dan Williams wrote: > > > On Wed, 2009-12-16 at 05:12 +0100, Daniel Mack wrote: > > > > The libertas driver copies the SSID buffer back to the wireless core and > > > > appends a trailing NULL character for termination. This is > > > > > > > > a) unnecessary because the buffer is allocated with kzalloc and is hence > > > > already NULLed when this function is called, and > > > > > > > > b) for priv->curbssparams.ssid_len == 32, it writes back one byte too > > > > much which causes memory corruptions. > > > > > > > > Fix this by removing the extra write. > > > > > > Acked-by: Dan Williams <dcbw@redhat.com> > > > > Thanks, everyone. Who will care to pick an queue this one? > > Is there some reason it wouldn't be me? No, it should be you. Please suck it into your 2.6.33 patchset and we'll cc to stable when it hits linus I guess. Dan ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-12-17 1:20 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1260936778-2096-1-git-send-email-daniel@caiaq.de>
2009-12-16 4:18 ` [PATCH] Libertas: fix buffer overflow in lbs_get_essid() Daniel Mack
[not found] ` <1260982667.2179.9.camel@localhost.localdomain>
2009-12-16 23:15 ` Daniel Mack
2009-12-17 1:01 ` John W. Linville
2009-12-17 1:19 ` Dan Williams
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).