Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 22 Oct 2006 10:12:41 +0200
From:      "Damien Bergamini" <damien.bergamini@free.fr>
To:        "Jeremie Le Hen" <jeremie@le-hen.org>, <freebsd-current@FreeBSD.org>
Cc:        mlaier@FreeBSD.org
Subject:   Re: not enough rates in struct iwi_rateset
Message-ID:  <00aa01c6f5b1$d8e8a6a0$0300a8c0@COMETE>
References:  <20061021225146.GT53114@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Thanks a lot for pointing that out.
I think the correct fix would be to copy only the minimum
between 12 (sizeof rs.rsrates) and ni->ni_rates.rs_nrates.
You can't just extend the size of the iwi_rateset structure
which is a command sent to the firmware (I double-checked in
the Intel Linux driver and they also use a structure with 12
(IPW_MAX_RATES) rates).
I wonder how ni->ni_rates.rs_nrates can be greater than 12
though since we only have 12 rates max in ic->ic_sup_rates[]
and the rate set is supposed to be negotiated at that point
which means that any rate that we don't support should have
been removed from ni->ni_rates.rs_rates[].
If you could show the content of ni->ni_rates.rs_rates[],
that might help.

Regards,
Damien

| Hi,
| 
| I have compiled my kernel with ProPolice and if_iwi happened to
| trigger the stack smashing protector, which means there has been
| a buffer overflow in a buffer allocated in the stack.
| 
| The buffer overflow occurs in iwi_auth_and_assoc(), and the only
| buffer in this function is in struct iwi_rateset, which can
| handle 12 rates, however according to kgdb ni->ni_rates.rs_nrates
| has a value of 13.
| 
| I am not confident with the net80211 code, but a quick glance at
| sys/net80211/_ieee80211.h shows that there may be up to 15 rates.
| Therefore I bumped up the number of rates in iwi_rateset to 15
| and there is no buffer overflow anymore, though I don't know if
| this is the correct fix.
| 
| Best regards,
| -- 
| Jeremie Le Hen
| < jeremie at le-hen dot org >< ttz at chchile dot org >

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00aa01c6f5b1$d8e8a6a0$0300a8c0>