Attached is a patch that fixes the problem that ESSIDs with length == 1
are rejected by the Atheros stack. Note that this patch may introduce
other failure modes, so it's not ready for inclusion just yet.
It also adds rejection of ESSIDs of length 32 or greater, which cause
a buffer overrun somewhere deeper in the stack.
- Werner
ar6k-essid-one-and-32.patch
This patch allows ESSID with length 1, which were rejected because the
stack assumed iwconfig used a different format in the ioctl's payload.
It also refuses ESSIDs longer than 31 bytes, because there is some
buffer overrun issue buried somewhere else in the stack. In principle,
32 bytes should be fine.
Open issues:
- are we sure we can't get any old-style (NUL included in length) ioctls ?
- where's the 32 bytes overrun ?
Not-Yet-Signed-off-by: Werner Almesberger <[EMAIL PROTECTED]>
--- kernel/drivers/ar6000/ar6000/wireless_ext.c 2008-08-12 21:28:33.000000000 -0300
+++ korig/drivers/ar6000/ar6000/wireless_ext.c 2008-09-08 20:10:10.000000000 -0300
@@ -264,12 +264,11 @@ ar6000_ioctl_siwessid(struct net_device
}
/*
- * iwconfig passes a null terminated string with length including this
- * so we need to account for this
+ * iwconfig passes a string with length excluding any trailing NUL.
+ * FIXME: we should be able to set an ESSID of 32 bytes, yet things fall
+ * over badly if we do. So we limit the ESSID to 31 bytes.
*/
- if (data->flags && (!data->length || (data->length == 1) ||
- ((data->length - 1) > sizeof(ar->arSsid))))
- {
+ if (data->flags && (!data->length || data->length >= sizeof(ar->arSsid))) {
/*
* ssid is invalid
*/
