From owner-freebsd-current@FreeBSD.ORG Sat Oct 21 22:51:05 2006 Return-Path: X-Original-To: freebsd-current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84AD316A416; Sat, 21 Oct 2006 22:51:05 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp4-g19.free.fr (smtp4-g19.free.fr [212.27.42.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12E8743D7D; Sat, 21 Oct 2006 22:51:00 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp4-g19.free.fr (Postfix) with ESMTP id 0CB614ED15; Sun, 22 Oct 2006 00:50:59 +0200 (CEST) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id EDEFA9E6C2; Sat, 21 Oct 2006 22:51:46 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id D15BD405B; Sun, 22 Oct 2006 00:51:46 +0200 (CEST) Date: Sun, 22 Oct 2006 00:51:46 +0200 From: Jeremie Le Hen To: freebsd-current@FreeBSD.org Message-ID: <20061021225146.GT53114@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0vzXIDBeUiKkjNJl" Content-Disposition: inline User-Agent: Mutt/1.5.13 (2006-08-11) Cc: mlaier@FreeBSD.org, damien@FreeBSD.org Subject: not enough rates in struct iwi_rateset X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2006 22:51:05 -0000 --0vzXIDBeUiKkjNJl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, I have compiled my kernel with ProPolice and if_iwi happened to trigger the stack smashing protector, which means there has been a buffer overflow in a buffer allocated in the stack. The buffer overflow occurs in iwi_auth_and_assoc(), and the only buffer in this function is in struct iwi_rateset, which can handle 12 rates, however according to kgdb ni->ni_rates.rs_nrates has a value of 13. I am not confident with the net80211 code, but a quick glance at sys/net80211/_ieee80211.h shows that there may be up to 15 rates. Therefore I bumped up the number of rates in iwi_rateset to 15 and there is no buffer overflow anymore, though I don't know if this is the correct fix. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > --0vzXIDBeUiKkjNJl Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="if_iwireg.h.patch" Index: if_iwireg.h =================================================================== RCS file: /home/ncvs/src/sys/dev/iwi/if_iwireg.h,v retrieving revision 1.12 diff -u -p -r1.12 if_iwireg.h --- if_iwireg.h 27 Apr 2006 21:43:37 -0000 1.12 +++ if_iwireg.h 21 Oct 2006 22:38:34 -0000 @@ -338,7 +338,7 @@ struct iwi_rateset { #define IWI_RATESET_TYPE_SUPPORTED 1 uint8_t reserved; - uint8_t rates[12]; + uint8_t rates[15]; } __packed; /* structure for command IWI_CMD_SET_TX_POWER */ --0vzXIDBeUiKkjNJl--