Subject: kern/18089: in wi(4) HostAP minor bug and inscrutable use of constants
To: None <gnats-bugs@gnats.netbsd.org>
From: None <dyoung@frieda.onthejob.net>
List: netbsd-bugs
Date: 08/27/2002 17:36:30
>Number: 18089
>Category: kern
>Synopsis: in wi(4) HostAP minor bug and inscrutable use of constants
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Aug 27 16:08:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: David Young (dyoung@ojctech.com)
>Release: NetBSD 1.6F 2002/08/11
>Organization:
OJC Technologies * Urbana, IL 61801 * (217) 278-3933
>Environment:
System: NetBSD frieda.onthejob.net 1.5ZC NetBSD 1.5ZC (dyoung_wi) #28: Mon Jun 3 23:11:03 CDT 2002 dyoung@noam.onthejob.net:/home/dyoung/anoncvs/src/sys/arch/i386/compile/dyoung_wi i386
Architecture: i386
Machine: i386
>Description:
1 wi_hostap.c will copy a malformed LTV past the end of a
struct ieee80211_nwid and clobber something.
2 Using the following inscrutable code, wi_hostap.c defies
readers who would verify the 'length' argument to wi_mgmt_xmit.
wi_mgmt_xmit(sc, (caddr_t)&sc->wi_txbuf,
6 + sizeof(struct wi_80211_hdr) +
(challenge_len > 0 ? challenge_len + 2 : 0));
Impatient, skeptical readers will prefer the uniform use
of the following code, which is concise, and which permits
easy verification:
wi_mgmt_xmit(sc, (caddr_t)&sc->wi_txbuf,
pkt - (caddr_t)&sc->wi_txbuf);
>How-To-Repeat:
Read the source.
>Fix:
Apply this patch.
Index: wi_hostap.c
===================================================================
RCS file: /cvsroot/syssrc/sys/dev/ic/wi_hostap.c,v
retrieving revision 1.1
diff -c -r1.1 wi_hostap.c
*** wi_hostap.c 2002/08/11 06:13:53 1.1
--- wi_hostap.c 2002/08/27 22:44:08
***************
*** 229,236 ****
put_hword(&pkt, reason);
! wi_mgmt_xmit(sc, (caddr_t)&sc->wi_txbuf,
! 2 + sizeof(struct wi_80211_hdr));
}
/* wihap_sta_deauth()
--- 229,235 ----
put_hword(&pkt, reason);
! wi_mgmt_xmit(sc, (caddr_t)&sc->wi_txbuf, pkt - (caddr_t)&sc->wi_txbuf);
}
/* wihap_sta_deauth()
***************
*** 259,266 ****
put_hword(&pkt, reason);
! wi_mgmt_xmit(sc, (caddr_t)&sc->wi_txbuf,
! 2 + sizeof(struct wi_80211_hdr));
}
/* wihap_shutdown()
--- 258,264 ----
put_hword(&pkt, reason);
! wi_mgmt_xmit(sc, (caddr_t)&sc->wi_txbuf, pkt - (caddr_t)&sc->wi_txbuf);
}
/* wihap_shutdown()
***************
*** 656,664 ****
put_tlv(&pkt, IEEE80211_ELEMID_CHALLENGE,
challenge, challenge_len);
! wi_mgmt_xmit(sc, (caddr_t)&sc->wi_txbuf,
! 6 + sizeof(struct wi_80211_hdr) +
! (challenge_len > 0 ? challenge_len + 2 : 0));
}
--- 654,660 ----
put_tlv(&pkt, IEEE80211_ELEMID_CHALLENGE,
challenge, challenge_len);
! wi_mgmt_xmit(sc, (caddr_t)&sc->wi_txbuf, pkt - (caddr_t)&sc->wi_txbuf);
}
***************
*** 700,706 ****
}
if ((ssid_len = take_tlv(&pkt, &len, IEEE80211_ELEMID_SSID,
! ssid.i_nwid, sizeof(ssid)))<0)
return;
ssid.i_len = ssid_len;
if ((rates_len = take_tlv(&pkt, &len, IEEE80211_ELEMID_RATES,
--- 696,702 ----
}
if ((ssid_len = take_tlv(&pkt, &len, IEEE80211_ELEMID_SSID,
! ssid.i_nwid, sizeof(ssid.i_nwid)))<0)
return;
ssid.i_len = ssid_len;
if ((rates_len = take_tlv(&pkt, &len, IEEE80211_ELEMID_RATES,
***************
*** 800,807 ****
put_hword(&pkt, asid);
rates_len = put_rates(&pkt, sc->wi_supprates);
! wi_mgmt_xmit(sc, (caddr_t)&sc->wi_txbuf,
! 8 + rates_len + sizeof(struct wi_80211_hdr));
}
/* wihap_deauth_req()
--- 796,802 ----
put_hword(&pkt, asid);
rates_len = put_rates(&pkt, sc->wi_supprates);
! wi_mgmt_xmit(sc, (caddr_t)&sc->wi_txbuf, pkt - (caddr_t)&sc->wi_txbuf);
}
/* wihap_deauth_req()
>Release-Note:
>Audit-Trail:
>Unformatted: