From owner-freebsd-bugs@FreeBSD.ORG Mon Nov 29 12:01:13 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E94B716A50F for ; Mon, 29 Nov 2004 12:01:12 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1A6043D54 for ; Mon, 29 Nov 2004 12:00:51 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id iATC0pX2024372 for ; Mon, 29 Nov 2004 12:00:51 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id iATC0poH024369; Mon, 29 Nov 2004 12:00:51 GMT (envelope-from gnats) Resent-Date: Mon, 29 Nov 2004 12:00:51 GMT Resent-Message-Id: <200411291200.iATC0poH024369@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Daan Vreeken [PA4DAN]" Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83ADE16A4CE for ; Mon, 29 Nov 2004 11:54:03 +0000 (GMT) Received: from amsfep14-int.chello.nl (amsfep14-int.chello.nl [213.46.243.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C16ED43D1F for ; Mon, 29 Nov 2004 11:54:01 +0000 (GMT) (envelope-from pa4dan@Vitsch.net) Received: from Vitsch.net ([212.187.78.35]) by amsfep14-int.chello.nl (InterMail vM.6.01.03.04 201-2131-111-106-20040729) with ESMTP id <20041129115359.LHWW28162.amsfep14-int.chello.nl@Vitsch.net> for ; Mon, 29 Nov 2004 12:53:59 +0100 Received: (from pa4dan@localhost) by Vitsch.net (8.12.3p2/8.11.3) id iATBrMmk091706; Mon, 29 Nov 2004 12:53:22 +0100 (CET) (envelope-from pa4dan) Message-Id: <200411291153.iATBrMmk091706@Vitsch.net> Date: Mon, 29 Nov 2004 12:53:22 +0100 (CET) From: "Daan Vreeken [PA4DAN]" To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: bin/74509: [PATCH] ifconfig allows setting 33-byte SSID X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Daan Vreeken \[PA4DAN\]" List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Nov 2004 12:01:13 -0000 >Number: 74509 >Category: bin >Synopsis: [PATCH] ifconfig allows setting 33-byte SSID >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Nov 29 12:00:51 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Daan Vreeken [PA4DAN] >Release: FreeBSD 5.3-RELEASE i386 >Organization: >Environment: System: FreeBSD Racebeest.Danovitsch.LAN 5.3-RELEASE FreeBSD 5.3-RELEASE #4: Fri Nov 26 18:18:21 CET 2004 root@Racebeest.Danovitsch.LAN:/usr/src.5.3-release/sys/i386/compile/Laptop i386 >Description: Ifconfig allows setting an SSID of 33-bytes. set80211ssid() calls get_string() to read & verify the SSID argument. get_string() checks the length of the given SSID argument, but fails because set80211ssid() passes a 33-byte buffer to it instead of a 32-byte buffer. >How-To-Repeat: Try the following commands to any interface : # ifconfig atuwi0 ssid 12345678901234567890123456789012 (Setting a 32-byte SSID. No errors, correct) # ifconfig atuwi0 ssid 123456789012345678901234567890123 ifconfig: SIOCS80211: Invalid argument (Setting a 33-byte SSID. The interface driver returns an error. ifconfig should have complained here about the length) # ifconfig atuwi0 ssid 1234567890123456789012345678901234 ifconfig: string too long ifconfig: SIOCS80211: Invalid argument (Setting a 34-byte SSID. Ifconfig complains about the SSID being too long, but continues to set the first 33-bytes of the SSID. The driver complains again. I think ifconfig should have bailed out when it detected the SSID was too long, instead of setting the first part.) >Fix: Apply the given patch to -current. This patch changes the ssid buffer size to 32 bytes so get_string() will detect string > 32 bytes correctly. The second part of the patch makes set80211ssid() return if the SSID was too long, instead of setting the first 32 bytes. There are a couple of other bugs still in the ifconfig code. I would like to know who I can contact to discuss them. --- ifconfig_ifieee80211_ssid_len.diff begins here --- --- ifieee80211.c.org Mon Nov 29 10:05:09 2004 +++ ifieee80211.c Mon Nov 29 11:29:56 2004 @@ -100,7 +100,7 @@ { int ssid; int len; - u_int8_t data[33]; + u_int8_t data[32]; ssid = 0; len = strlen(val); @@ -111,8 +111,9 @@ bzero(data, sizeof(data)); len = sizeof(data); - get_string(val, NULL, data, &len); - + if (get_string(val, NULL, data, &len) == NULL) + return; + set80211(s, IEEE80211_IOC_SSID, ssid, len, data); } --- ifconfig_ifieee80211_ssid_len.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: