tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

staging: r8188eu: memory corruption handling long ssids

We should cap the SSID length at NDIS_802_11_LENGTH_SSID (32) characters
to avoid memory corruption. If the SSID is too long then I have opted
to ignore it instead of truncating it.

We don't need to clear bssid->Ssid.Ssid[0] because this struct is
allocated with rtw_zmalloc()

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Dan Carpenter and committed by
Greg Kroah-Hartman 7a081ea2 d3a874e8

+8 -14
+8 -14
drivers/staging/rtl8188eu/core/rtw_wlan_util.c
··· 912 912 unsigned char *pbuf; 913 913 u32 wpa_ielen = 0; 914 914 u8 *pbssid = GetAddr3Ptr(pframe); 915 - u32 hidden_ssid = 0; 916 915 struct HT_info_element *pht_info = NULL; 917 916 struct rtw_ieee80211_ht_cap *pht_cap = NULL; 918 917 u32 bcn_channel; 919 918 unsigned short ht_cap_info; 920 919 unsigned char ht_info_infos_0; 920 + int ssid_len; 921 921 922 922 if (is_client_associated_to_ap(Adapter) == false) 923 923 return true; ··· 999 999 } 1000 1000 1001 1001 /* checking SSID */ 1002 + ssid_len = 0; 1002 1003 p = rtw_get_ie(bssid->IEs + _FIXED_IE_LENGTH_, _SSID_IE_, &len, bssid->IELength - _FIXED_IE_LENGTH_); 1003 - if (p == NULL) { 1004 - DBG_88E("%s marc: cannot find SSID for survey event\n", __func__); 1005 - hidden_ssid = true; 1006 - } else { 1007 - hidden_ssid = false; 1004 + if (p) { 1005 + ssid_len = *(p + 1); 1006 + if (ssid_len > NDIS_802_11_LENGTH_SSID) 1007 + ssid_len = 0; 1008 1008 } 1009 - 1010 - if ((NULL != p) && (false == hidden_ssid && (*(p + 1)))) { 1011 - memcpy(bssid->Ssid.Ssid, (p + 2), *(p + 1)); 1012 - bssid->Ssid.SsidLength = *(p + 1); 1013 - } else { 1014 - bssid->Ssid.SsidLength = 0; 1015 - bssid->Ssid.Ssid[0] = '\0'; 1016 - } 1009 + memcpy(bssid->Ssid.Ssid, (p + 2), ssid_len); 1010 + bssid->Ssid.SsidLength = ssid_len; 1017 1011 1018 1012 RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("%s bssid.Ssid.Ssid:%s bssid.Ssid.SsidLength:%d " 1019 1013 "cur_network->network.Ssid.Ssid:%s len:%d\n", __func__, bssid->Ssid.Ssid,