[PATCH] wireless: wext: allocate space for NULL-termination for 32byte SSIDs
Daniel Mack
daniel at caiaq.de
Tue Dec 15 22:58:44 EST 2009
On Tue, Dec 15, 2009 at 11:03:31AM +0100, Johannes Berg wrote:
>
> > > - /* kzalloc() ensures NULL-termination for essid_compat. */
> > > - extra = kzalloc(extra_size, GFP_KERNEL);
> > > + /* kzalloc() +1 ensures NULL-termination for essid_compat. */
> > > + extra = kzalloc(extra_size + 1, GFP_KERNEL);
>
> That doesn't seem correct.
>
> If this is used in a SET, then it is purely an in-kernel thing and
> everything in the kernel is passed the length + data, and the kernel
> MUST NEVER treat the SSID as a NUL-terminated string.
>
> If this is used in a GET, then it will be filled up to 32 bytes by the
> get handler, and the trailing \0 your patch reserves will never be
> copied into userspace.
The problem is the GET case. The libertas driver copies ssid_len
characters here and appends a trailing \0, which my patch caught now and
which caused memory corruption in before.
More information about the libertas-dev
mailing list