[stable] Patch "nl80211: fix check for valid SSID size in scan operations" has been added to the 2.6.33-longterm tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    nl80211: fix check for valid SSID size in scan operations

to the 2.6.33-longterm tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/longterm/longterm-queue-2.6.33.git;a=summary

The filename of the patch is:
     nl80211-fix-check-for-valid-ssid-size-in-scan-operations.patch
and it can be found in the queue-2.6.33 subdirectory.

If you, or anyone else, feels it should not be added to the 2.6.33 longterm 
tree,
please let <sta...@kernel.org> know about it.


>From 208c72f4fe44fe09577e7975ba0e7fa0278f3d03 Mon Sep 17 00:00:00 2001
From: Luciano Coelho <coe...@ti.com>
Date: Thu, 19 May 2011 00:43:38 +0300
Subject: nl80211: fix check for valid SSID size in scan operations

From: Luciano Coelho <coe...@ti.com>

commit 208c72f4fe44fe09577e7975ba0e7fa0278f3d03 upstream.

In both trigger_scan and sched_scan operations, we were checking for
the SSID length before assigning the value correctly.  Since the
memory was just kzalloc'ed, the check was always failing and SSID with
over 32 characters were allowed to go through.

This was causing a buffer overflow when copying the actual SSID to the
proper place.

This bug has been there since 2.6.29-rc4.

Signed-off-by: Luciano Coelho <coe...@ti.com>
Signed-off-by: John W. Linville <linvi...@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>


---
 net/wireless/nl80211.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3078,12 +3078,12 @@ static int nl80211_trigger_scan(struct s
        i = 0;
        if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
                nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], 
tmp) {
+                       request->ssids[i].ssid_len = nla_len(attr);
                        if (request->ssids[i].ssid_len > 
IEEE80211_MAX_SSID_LEN) {
                                err = -EINVAL;
                                goto out_free;
                        }
                        memcpy(request->ssids[i].ssid, nla_data(attr), 
nla_len(attr));
-                       request->ssids[i].ssid_len = nla_len(attr);
                        i++;
                }
        }


Patches currently in longterm-queue-2.6.33 which might be from coe...@ti.com are

/home/gregkh/linux/longterm/longterm-queue-2.6.33/queue-2.6.33/nl80211-fix-check-for-valid-ssid-size-in-scan-operations.patch

_______________________________________________
stable mailing list
stable@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/stable