[PATCH FIXED] hostap_plx: fix CIS verification

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pavel Roskin <proski@gnu.org>
To: netdev@vger.kernel.org
Cc: hostap@shmoo.com
Subject: [PATCH FIXED] hostap_plx: fix CIS verification
Date: Tue, 24 Oct 2006 22:41:27 -0400	[thread overview]
Message-ID: <1161744087.29939.11.camel@dv> (raw)
In-Reply-To: <20061025023119.GB6121@jm.kir.nu>

hostap_plx: fix two related off-by-one errors in CIS parser

From: Pavel Roskin <proski@gnu.org>

The length of the manfid CIS should be at least 4, and it's normally 4.
It's incorrect to require it to be at least 5.  This breaks support for
most (if not all) cards.

The right place to ensure that we don't access beyond the CIS buffer is
to strengthen another check.  Make sure that the next tuple begins at
least at the CIS buffer end (in which case we stop processing) or
before that.

Reported by ph35sm@free.fr

Signed-off-by: Pavel Roskin <proski@gnu.org>
---
I'd like to remind that it's 2.6.x.y material.

 drivers/net/wireless/hostap/hostap_plx.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/hostap/hostap_plx.c b/drivers/net/wireless/hostap/hostap_plx.c
index 6dfa041..bc81b13 100644
--- a/drivers/net/wireless/hostap/hostap_plx.c
+++ b/drivers/net/wireless/hostap/hostap_plx.c
@@ -364,7 +364,7 @@ #define CIS_MAX_LEN 256
 
 	pos = 0;
 	while (pos < CIS_MAX_LEN - 1 && cis[pos] != CISTPL_END) {
-		if (pos + cis[pos + 1] >= CIS_MAX_LEN)
+		if (pos + 2 + cis[pos + 1] > CIS_MAX_LEN)
 			goto cis_error;
 
 		switch (cis[pos]) {
@@ -391,7 +391,7 @@ #define CIS_MAX_LEN 256
 			break;
 
 		case CISTPL_MANFID:
-			if (cis[pos + 1] < 5)
+			if (cis[pos + 1] < 4)
 				goto cis_error;
 			manfid1 = cis[pos + 2] + (cis[pos + 3] << 8);
 			manfid2 = cis[pos + 4] + (cis[pos + 5] << 8);

-- 
Regards,
Pavel Roskin

     prev parent reply	other threads:[~2006-10-25  2:41 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-10-20 22:20 [PATCH] hostap_plx: fix CIS verification Pavel Roskin
2006-10-21  1:19 ` Jouni Malinen
2006-10-25  0:37   ` John W. Linville
2006-10-25  0:48     ` Pavel Roskin
2006-10-25  1:44       ` Jouni Malinen
2006-10-25  2:12   ` Pavel Roskin
2006-10-25  2:31     ` Jouni Malinen
2006-10-25  2:41       ` Pavel Roskin [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:6dfa041 dfblob:bc81b13 )
 OR (
bs:"[PATCH FIXED] hostap_plx: fix CIS verification" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1161744087.29939.11.camel@dv \
    --to=proski@gnu.org \
    --cc=hostap@shmoo.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).