From owner-freebsd-current@FreeBSD.ORG Sun Oct 22 08:13:25 2006 Return-Path: X-Original-To: freebsd-current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 760DB16A403; Sun, 22 Oct 2006 08:13:25 +0000 (UTC) (envelope-from damien.bergamini@free.fr) Received: from smtp2-g19.free.fr (smtp2-g19.free.fr [212.27.42.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E8B343D45; Sun, 22 Oct 2006 08:13:24 +0000 (GMT) (envelope-from damien.bergamini@free.fr) Received: from COMETE (pas38-1-82-67-68-158.fbx.proxad.net [82.67.68.158]) by smtp2-g19.free.fr (Postfix) with SMTP id C905C759C7; Sun, 22 Oct 2006 10:13:23 +0200 (CEST) Message-ID: <00aa01c6f5b1$d8e8a6a0$0300a8c0@COMETE> From: "Damien Bergamini" To: "Jeremie Le Hen" , References: <20061021225146.GT53114@obiwan.tataz.chchile.org> Date: Sun, 22 Oct 2006 10:12:41 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Mailman-Approved-At: Mon, 23 Oct 2006 13:52:28 +0000 Cc: mlaier@FreeBSD.org Subject: Re: not enough rates in struct iwi_rateset X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Oct 2006 08:13:25 -0000 Thanks a lot for pointing that out. I think the correct fix would be to copy only the minimum between 12 (sizeof rs.rsrates) and ni->ni_rates.rs_nrates. You can't just extend the size of the iwi_rateset structure which is a command sent to the firmware (I double-checked in the Intel Linux driver and they also use a structure with 12 (IPW_MAX_RATES) rates). I wonder how ni->ni_rates.rs_nrates can be greater than 12 though since we only have 12 rates max in ic->ic_sup_rates[] and the rate set is supposed to be negotiated at that point which means that any rate that we don't support should have been removed from ni->ni_rates.rs_rates[]. If you could show the content of ni->ni_rates.rs_rates[], that might help. Regards, Damien | Hi, | | I have compiled my kernel with ProPolice and if_iwi happened to | trigger the stack smashing protector, which means there has been | a buffer overflow in a buffer allocated in the stack. | | The buffer overflow occurs in iwi_auth_and_assoc(), and the only | buffer in this function is in struct iwi_rateset, which can | handle 12 rates, however according to kgdb ni->ni_rates.rs_nrates | has a value of 13. | | I am not confident with the net80211 code, but a quick glance at | sys/net80211/_ieee80211.h shows that there may be up to 15 rates. | Therefore I bumped up the number of rates in iwi_rateset to 15 | and there is no buffer overflow anymore, though I don't know if | this is the correct fix. | | Best regards, | -- | Jeremie Le Hen | < jeremie at le-hen dot org >< ttz at chchile dot org >