--- /dev/null
+From 208c72f4fe44fe09577e7975ba0e7fa0278f3d03 Mon Sep 17 00:00:00 2001
+From: Luciano Coelho <coelho@ti.com>
+Date: Thu, 19 May 2011 00:43:38 +0300
+Subject: nl80211: fix check for valid SSID size in scan operations
+
+From: Luciano Coelho <coelho@ti.com>
+
+commit 208c72f4fe44fe09577e7975ba0e7fa0278f3d03 upstream.
+
+In both trigger_scan and sched_scan operations, we were checking for
+the SSID length before assigning the value correctly. Since the
+memory was just kzalloc'ed, the check was always failing and SSID with
+over 32 characters were allowed to go through.
+
+This was causing a buffer overflow when copying the actual SSID to the
+proper place.
+
+This bug has been there since 2.6.29-rc4.
+
+Signed-off-by: Luciano Coelho <coelho@ti.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ net/wireless/nl80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3239,12 +3239,12 @@ static int nl80211_trigger_scan(struct s
+ i = 0;
+ if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
+ nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
++ request->ssids[i].ssid_len = nla_len(attr);
+ if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
+ err = -EINVAL;
+ goto out_free;
+ }
+ memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
+- request->ssids[i].ssid_len = nla_len(attr);
+ i++;
+ }
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
