diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2011-06-06 15:16:04 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-06-06 15:16:04 -0700 |
commit | 1ae92e7304856fa3aa8baf8acc9e73378a80f72a (patch) | |
tree | 1584198fcbd82cf439f457add78bcedc38b9592d | |
parent | 94766e8deb6585c236f813afe492b980b2b75fdc (diff) | |
download | stable-queue-1ae92e7304856fa3aa8baf8acc9e73378a80f72a.tar.gz |
.39 patches
-rw-r--r-- | queue-2.6.39/nl80211-fix-check-for-valid-ssid-size-in-scan-operations.patch | 44 | ||||
-rw-r--r-- | queue-2.6.39/series | 1 |
2 files changed, 45 insertions, 0 deletions
diff --git a/queue-2.6.39/nl80211-fix-check-for-valid-ssid-size-in-scan-operations.patch b/queue-2.6.39/nl80211-fix-check-for-valid-ssid-size-in-scan-operations.patch new file mode 100644 index 0000000000..9d3dfa555c --- /dev/null +++ b/queue-2.6.39/nl80211-fix-check-for-valid-ssid-size-in-scan-operations.patch @@ -0,0 +1,44 @@ +From 208c72f4fe44fe09577e7975ba0e7fa0278f3d03 Mon Sep 17 00:00:00 2001 +From: Luciano Coelho <coelho@ti.com> +Date: Thu, 19 May 2011 00:43:38 +0300 +Subject: nl80211: fix check for valid SSID size in scan operations + +From: Luciano Coelho <coelho@ti.com> + +commit 208c72f4fe44fe09577e7975ba0e7fa0278f3d03 upstream. + +In both trigger_scan and sched_scan operations, we were checking for +the SSID length before assigning the value correctly. Since the +memory was just kzalloc'ed, the check was always failing and SSID with +over 32 characters were allowed to go through. + +This was causing a buffer overflow when copying the actual SSID to the +proper place. + +This bug has been there since 2.6.29-rc4. + +Signed-off-by: Luciano Coelho <coelho@ti.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + + +--- + net/wireless/nl80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3239,12 +3239,12 @@ static int nl80211_trigger_scan(struct s + i = 0; + if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) { + nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) { ++ request->ssids[i].ssid_len = nla_len(attr); + if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) { + err = -EINVAL; + goto out_free; + } + memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr)); +- request->ssids[i].ssid_len = nla_len(attr); + i++; + } + } diff --git a/queue-2.6.39/series b/queue-2.6.39/series index ed15c6b3bf..090fd70685 100644 --- a/queue-2.6.39/series +++ b/queue-2.6.39/series @@ -29,3 +29,4 @@ serial-core-remove-uart_update_termios.patch pci-set-pcie-maxpayload-for-card-during-hotplug-insertion.patch powerpc-fix-32-bit-smp-build.patch asus-wmi-remove-__init-from-asus_wmi_platform_init.patch +nl80211-fix-check-for-valid-ssid-size-in-scan-operations.patch |