not enough rates in struct iwi_rateset

From: Jeremie Le Hen <jeremie_at_le-hen.org>
Date: Sun, 22 Oct 2006 00:51:46 +0200
Hi,

I have compiled my kernel with ProPolice and if_iwi happened to
trigger the stack smashing protector, which means there has been
a buffer overflow in a buffer allocated in the stack.

The buffer overflow occurs in iwi_auth_and_assoc(), and the only
buffer in this function is in struct iwi_rateset, which can
handle 12 rates, however according to kgdb ni->ni_rates.rs_nrates
has a value of 13.

I am not confident with the net80211 code, but a quick glance at
sys/net80211/_ieee80211.h shows that there may be up to 15 rates.
Therefore I bumped up the number of rates in iwi_rateset to 15
and there is no buffer overflow anymore, though I don't know if
this is the correct fix.

Best regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >

Received on Sat Oct 21 2006 - 20:51:05 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:01 UTC