Package: zd1211-source
Version: 0.0.0.svnr23-3
Tags: patch
I have AP with 32 char long ESSID. The driver fails to connect it.
"Can't find desired ESSID"
message is printed ~once per second.
In addition,
$ iwlist scanning
displays in one place:
"essid: <ESSID here><additional garbage>"
This is an obvious zero terminator out-of-bounds case. Patch
that increases array sizes and memcpys by one is included. I
have already reported this to the zd1211 developer community.
I have compiled the kernel from 2.6.12-7.
--
i.
diff -u -r zd1211/src/zd1205.c zd1211-ij/src/zd1205.c
--- zd1211/src/zd1205.c 2005-09-22 16:21:46.000000000 +0300
+++ zd1211-ij/src/zd1205.c 2005-10-26 09:53:54.000000000 +0300
@@ -7176,8 +7176,8 @@
U8 bssTypeToConnect;
zd1205_lock(macp);
if (macp->BSSInfo[val-1].cap & CAP_IBSS) {
-
memcpy((U8*)&mSsid,(U8*)macp->BSSInfo[val-1].ssid,34);
- memcpy((U8*)&dot11DesiredSsid, &mSsid,
34);
+
memcpy((U8*)&mSsid,(U8*)macp->BSSInfo[val-1].ssid,34+1);
+ memcpy((U8*)&dot11DesiredSsid, &mSsid,
34+1);
macp->BSSInfo[val-1].ssid[mSsid.buf[1]+2]=0;
//printk(KERN_ERR "desired IBSS
ssid=%s\n",&macp->BSSInfo[val-1].ssid[2]);
mBssType=macp->cardSetting.BssType=INDEPENDENT_BSS;
@@ -7185,8 +7185,8 @@
bssTypeToConnect=mBssType;
zd_CmdProcess(CMD_CONNECT,
&bssTypeToConnect, val);
} else if (macp->BSSInfo[val-1].cap & CAP_ESS)
{
-
memcpy((U8*)&mSsid,(U8*)macp->BSSInfo[val-1].ssid,34);
- memcpy((U8*)&dot11DesiredSsid, &mSsid,
34);
+
memcpy((U8*)&mSsid,(U8*)macp->BSSInfo[val-1].ssid,34+1);
+ memcpy((U8*)&dot11DesiredSsid, &mSsid,
34+1);
macp->BSSInfo[val-1].ssid[mSsid.buf[1]+2]=0;
//printk(KERN_ERR "desired AP
ssid=%s\n",&macp->BSSInfo[val-1].ssid[2]);
mBssType=macp->cardSetting.BssType=INFRASTRUCTURE_BSS;
diff -u -r zd1211/src/zdapi.h zd1211-ij/src/zdapi.h
--- zd1211/src/zdapi.h 2005-09-22 16:21:45.000000000 +0300
+++ zd1211-ij/src/zdapi.h 2005-10-26 09:55:11.000000000 +0300
@@ -473,7 +473,7 @@
U8 bContinueTx;
U8 bChScanning;
U16 IntValue[14];
- U8 CurrSsid[34];
+ U8 CurrSsid[34+1];
#ifdef ZD1211B
U8 LengthDiff;
diff -u -r zd1211/src/zdsorts.h zd1211-ij/src/zdsorts.h
--- zd1211/src/zdsorts.h 2005-08-17 21:40:01.000000000 +0300
+++ zd1211-ij/src/zdsorts.h 2005-10-26 09:50:50.000000000 +0300
@@ -111,7 +111,7 @@
typedef struct
{
- U8 buf[34]; //Max SSID Length = 32
+ U8 buf[34+1]; //Max SSID Length = 32
}
Element;
diff -u -r zd1211/src/zdsynch.c zd1211-ij/src/zdsynch.c
--- zd1211/src/zdsynch.c 2005-09-22 16:21:45.000000000 +0300
+++ zd1211-ij/src/zdsynch.c 2005-10-26 09:57:10.000000000 +0300
@@ -312,7 +312,7 @@
/* Dump WPA IE */
if(pCurrBssInfo->WPAIe[1] != 0) {
int ii;
- u8 SSID[34];
+ u8 SSID[34+1];
memcpy(SSID, (u8 *)(&pCurrBssInfo->ssid.buf[2]),
pCurrBssInfo->ssid.buf[1]);
SSID[pCurrBssInfo->ssid.buf[1]] = '\0';
