Commit 7a081ea2 authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman

staging: r8188eu: memory corruption handling long ssids

We should cap the SSID length at NDIS_802_11_LENGTH_SSID (32) characters
to avoid memory corruption.  If the SSID is too long then I have opted
to ignore it instead of truncating it.

We don't need to clear bssid->Ssid.Ssid[0] because this struct is
allocated with rtw_zmalloc()
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Acked-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent d3a874e8
...@@ -912,12 +912,12 @@ int rtw_check_bcn_info(struct adapter *Adapter, u8 *pframe, u32 packet_len) ...@@ -912,12 +912,12 @@ int rtw_check_bcn_info(struct adapter *Adapter, u8 *pframe, u32 packet_len)
unsigned char *pbuf; unsigned char *pbuf;
u32 wpa_ielen = 0; u32 wpa_ielen = 0;
u8 *pbssid = GetAddr3Ptr(pframe); u8 *pbssid = GetAddr3Ptr(pframe);
u32 hidden_ssid = 0;
struct HT_info_element *pht_info = NULL; struct HT_info_element *pht_info = NULL;
struct rtw_ieee80211_ht_cap *pht_cap = NULL; struct rtw_ieee80211_ht_cap *pht_cap = NULL;
u32 bcn_channel; u32 bcn_channel;
unsigned short ht_cap_info; unsigned short ht_cap_info;
unsigned char ht_info_infos_0; unsigned char ht_info_infos_0;
int ssid_len;
if (is_client_associated_to_ap(Adapter) == false) if (is_client_associated_to_ap(Adapter) == false)
return true; return true;
...@@ -999,21 +999,15 @@ int rtw_check_bcn_info(struct adapter *Adapter, u8 *pframe, u32 packet_len) ...@@ -999,21 +999,15 @@ int rtw_check_bcn_info(struct adapter *Adapter, u8 *pframe, u32 packet_len)
} }
/* checking SSID */ /* checking SSID */
ssid_len = 0;
p = rtw_get_ie(bssid->IEs + _FIXED_IE_LENGTH_, _SSID_IE_, &len, bssid->IELength - _FIXED_IE_LENGTH_); p = rtw_get_ie(bssid->IEs + _FIXED_IE_LENGTH_, _SSID_IE_, &len, bssid->IELength - _FIXED_IE_LENGTH_);
if (p == NULL) { if (p) {
DBG_88E("%s marc: cannot find SSID for survey event\n", __func__); ssid_len = *(p + 1);
hidden_ssid = true; if (ssid_len > NDIS_802_11_LENGTH_SSID)
} else { ssid_len = 0;
hidden_ssid = false;
}
if ((NULL != p) && (false == hidden_ssid && (*(p + 1)))) {
memcpy(bssid->Ssid.Ssid, (p + 2), *(p + 1));
bssid->Ssid.SsidLength = *(p + 1);
} else {
bssid->Ssid.SsidLength = 0;
bssid->Ssid.Ssid[0] = '\0';
} }
memcpy(bssid->Ssid.Ssid, (p + 2), ssid_len);
bssid->Ssid.SsidLength = ssid_len;
RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("%s bssid.Ssid.Ssid:%s bssid.Ssid.SsidLength:%d " RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("%s bssid.Ssid.Ssid:%s bssid.Ssid.SsidLength:%d "
"cur_network->network.Ssid.Ssid:%s len:%d\n", __func__, bssid->Ssid.Ssid, "cur_network->network.Ssid.Ssid:%s len:%d\n", __func__, bssid->Ssid.Ssid,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment