[src/trunk]: src/sys/net80211 Apply patch from FreeBSD-SA-06:05. This avoids ...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/99c99729214f
branches:  trunk
changeset: 587287:99c99729214f
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Jan 18 14:01:16 2006 +0000

description:
Apply patch from FreeBSD-SA-06:05. This avoids the overflow during the
lenght calculation phase instead of just growing the buffer like the older
patch did. I am leaving the bigger buffer too for now since it does not hurt.

diffstat:

 sys/net80211/ieee80211_ioctl.c |  24 ++++++++++++++++++------
 1 files changed, 18 insertions(+), 6 deletions(-)

diffs (60 lines):

diff -r e45a4c40867d -r 99c99729214f sys/net80211/ieee80211_ioctl.c
--- a/sys/net80211/ieee80211_ioctl.c    Wed Jan 18 13:39:05 2006 +0000
+++ b/sys/net80211/ieee80211_ioctl.c    Wed Jan 18 14:01:16 2006 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ieee80211_ioctl.c,v 1.27 2006/01/13 19:30:06 christos Exp $    */
+/*     $NetBSD: ieee80211_ioctl.c,v 1.28 2006/01/18 14:01:16 christos Exp $    */
 /*-
  * Copyright (c) 2001 Atsushi Onoe
  * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
@@ -36,7 +36,7 @@
 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_ioctl.c,v 1.35 2005/08/30 14:27:47 avatar Exp $");
 #endif
 #ifdef __NetBSD__
-__KERNEL_RCSID(0, "$NetBSD: ieee80211_ioctl.c,v 1.27 2006/01/13 19:30:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ieee80211_ioctl.c,v 1.28 2006/01/18 14:01:16 christos Exp $");
 #endif
 
 /*
@@ -1000,13 +1000,25 @@
        const struct ieee80211_node *ni)
 {
        struct ieee80211com *ic = ni->ni_ic;
+       u_int ielen = 0;
 
        memset(sr, 0, sizeof(*sr));
        sr->isr_ssid_len = ni->ni_esslen;
        if (ni->ni_wpa_ie != NULL)
-               sr->isr_ie_len += 2+ni->ni_wpa_ie[1];
+               ielen += 2+ni->ni_wpa_ie[1];
        if (ni->ni_wme_ie != NULL)
-               sr->isr_ie_len += 2+ni->ni_wme_ie[1];
+               ielen += 2+ni->ni_wme_ie[1];
+
+       /*
+        * The value sr->isr_ie_len is defined as a uint8_t, so we
+        * need to be careful to avoid an integer overflow.  If the
+        * value would overflow, we will set isr_ie_len to zero, and
+        * ieee80211_ioctl_getscanresults (below) will avoid copying
+        * the (overflowing) data.
+        */
+       if (ielen > 255)
+               ielen = 0;
+       sr->isr_ie_len = ielen;
        sr->isr_len = sizeof(*sr) + sr->isr_ssid_len + sr->isr_ie_len;
        sr->isr_len = roundup(sr->isr_len, sizeof(u_int32_t));
        if (ni->ni_chan != IEEE80211_CHAN_ANYC) {
@@ -1054,11 +1066,11 @@
                cp = (u_int8_t *)(sr+1);
                memcpy(cp, ni->ni_essid, ni->ni_esslen);
                cp += ni->ni_esslen;
-               if (ni->ni_wpa_ie != NULL) {
+               if (sr->isr_ie_len > 0 && ni->ni_wpa_ie != NULL) {
                        memcpy(cp, ni->ni_wpa_ie, 2+ni->ni_wpa_ie[1]);
                        cp += 2+ni->ni_wpa_ie[1];
                }
-               if (ni->ni_wme_ie != NULL) {
+               if (sr->isr_ie_len > 0 && ni->ni_wme_ie != NULL) {
                        memcpy(cp, ni->ni_wme_ie, 2+ni->ni_wme_ie[1]);
                        cp += 2+ni->ni_wme_ie[1];
                }