From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Mon, 6 Jun 2011 22:16:04 +0000 (-0700)
Subject: .39 patches
X-Git-Tag: v2.6.39.2~9
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1ae92e7304856fa3aa8baf8acc9e73378a80f72a;p=thirdparty%2Fkernel%2Fstable-queue.git

.39 patches
---

diff --git a/queue-2.6.39/nl80211-fix-check-for-valid-ssid-size-in-scan-operations.patch b/queue-2.6.39/nl80211-fix-check-for-valid-ssid-size-in-scan-operations.patch
new file mode 100644
index 00000000000..9d3dfa555c7
--- /dev/null
+++ b/queue-2.6.39/nl80211-fix-check-for-valid-ssid-size-in-scan-operations.patch
@@ -0,0 +1,44 @@
+From 208c72f4fe44fe09577e7975ba0e7fa0278f3d03 Mon Sep 17 00:00:00 2001
+From: Luciano Coelho <coelho@ti.com>
+Date: Thu, 19 May 2011 00:43:38 +0300
+Subject: nl80211: fix check for valid SSID size in scan operations
+
+From: Luciano Coelho <coelho@ti.com>
+
+commit 208c72f4fe44fe09577e7975ba0e7fa0278f3d03 upstream.
+
+In both trigger_scan and sched_scan operations, we were checking for
+the SSID length before assigning the value correctly.  Since the
+memory was just kzalloc'ed, the check was always failing and SSID with
+over 32 characters were allowed to go through.
+
+This was causing a buffer overflow when copying the actual SSID to the
+proper place.
+
+This bug has been there since 2.6.29-rc4.
+
+Signed-off-by: Luciano Coelho <coelho@ti.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ net/wireless/nl80211.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3239,12 +3239,12 @@ static int nl80211_trigger_scan(struct s
+ 	i = 0;
+ 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
+ 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
++			request->ssids[i].ssid_len = nla_len(attr);
+ 			if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
+ 				err = -EINVAL;
+ 				goto out_free;
+ 			}
+ 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
+-			request->ssids[i].ssid_len = nla_len(attr);
+ 			i++;
+ 		}
+ 	}
diff --git a/queue-2.6.39/series b/queue-2.6.39/series
index ed15c6b3bfe..090fd706856 100644
--- a/queue-2.6.39/series
+++ b/queue-2.6.39/series
@@ -29,3 +29,4 @@ serial-core-remove-uart_update_termios.patch
 pci-set-pcie-maxpayload-for-card-during-hotplug-insertion.patch
 powerpc-fix-32-bit-smp-build.patch
 asus-wmi-remove-__init-from-asus_wmi_platform_init.patch
+nl80211-fix-check-for-valid-ssid-size-in-scan-operations.patch