Thanks a lot for pointing that out. I think the correct fix would be to copy only the minimum between 12 (sizeof rs.rsrates) and ni->ni_rates.rs_nrates. You can't just extend the size of the iwi_rateset structure which is a command sent to the firmware (I double-checked in the Intel Linux driver and they also use a structure with 12 (IPW_MAX_RATES) rates). I wonder how ni->ni_rates.rs_nrates can be greater than 12 though since we only have 12 rates max in ic->ic_sup_rates[] and the rate set is supposed to be negotiated at that point which means that any rate that we don't support should have been removed from ni->ni_rates.rs_rates[]. If you could show the content of ni->ni_rates.rs_rates[], that might help. Regards, Damien | Hi, | | I have compiled my kernel with ProPolice and if_iwi happened to | trigger the stack smashing protector, which means there has been | a buffer overflow in a buffer allocated in the stack. | | The buffer overflow occurs in iwi_auth_and_assoc(), and the only | buffer in this function is in struct iwi_rateset, which can | handle 12 rates, however according to kgdb ni->ni_rates.rs_nrates | has a value of 13. | | I am not confident with the net80211 code, but a quick glance at | sys/net80211/_ieee80211.h shows that there may be up to 15 rates. | Therefore I bumped up the number of rates in iwi_rateset to 15 | and there is no buffer overflow anymore, though I don't know if | this is the correct fix. | | Best regards, | -- | Jeremie Le Hen | < jeremie at le-hen dot org >< ttz at chchile dot org >Received on Sun Oct 22 2006 - 06:13:25 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:01 UTC