Date: Sun, 22 Oct 2006 00:51:46 +0200 From: Jeremie Le Hen <jeremie@le-hen.org> To: freebsd-current@FreeBSD.org Cc: mlaier@FreeBSD.org, damien@FreeBSD.org Subject: not enough rates in struct iwi_rateset Message-ID: <20061021225146.GT53114@obiwan.tataz.chchile.org>
next in thread | raw e-mail | index | archive | help
--0vzXIDBeUiKkjNJl
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Hi,
I have compiled my kernel with ProPolice and if_iwi happened to
trigger the stack smashing protector, which means there has been
a buffer overflow in a buffer allocated in the stack.
The buffer overflow occurs in iwi_auth_and_assoc(), and the only
buffer in this function is in struct iwi_rateset, which can
handle 12 rates, however according to kgdb ni->ni_rates.rs_nrates
has a value of 13.
I am not confident with the net80211 code, but a quick glance at
sys/net80211/_ieee80211.h shows that there may be up to 15 rates.
Therefore I bumped up the number of rates in iwi_rateset to 15
and there is no buffer overflow anymore, though I don't know if
this is the correct fix.
Best regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
--0vzXIDBeUiKkjNJl
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="if_iwireg.h.patch"
Index: if_iwireg.h
===================================================================
RCS file: /home/ncvs/src/sys/dev/iwi/if_iwireg.h,v
retrieving revision 1.12
diff -u -p -r1.12 if_iwireg.h
--- if_iwireg.h 27 Apr 2006 21:43:37 -0000 1.12
+++ if_iwireg.h 21 Oct 2006 22:38:34 -0000
@@ -338,7 +338,7 @@ struct iwi_rateset {
#define IWI_RATESET_TYPE_SUPPORTED 1
uint8_t reserved;
- uint8_t rates[12];
+ uint8_t rates[15];
} __packed;
/* structure for command IWI_CMD_SET_TX_POWER */
--0vzXIDBeUiKkjNJl--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061021225146.GT53114>