From patchwork Thu Dec 11 13:47:45 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew McDonnell X-Patchwork-Id: 420128 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from arrakis.dune.hu (arrakis.dune.hu [78.24.191.176]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 9B82F1400E7 for ; Fri, 12 Dec 2014 00:48:21 +1100 (AEDT) Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id 083A428AE02; Thu, 11 Dec 2014 14:46:27 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on arrakis.dune.hu X-Spam-Level: X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,T_DKIM_INVALID autolearn=unavailable version=3.3.2 Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id 44A88281079 for ; Thu, 11 Dec 2014 14:46:21 +0100 (CET) X-policyd-weight: using cached result; rate: -5.5 Received: from se2-syd.hostedmail.net.au (se2-syd.hostedmail.net.au [103.252.152.36]) by arrakis.dune.hu (Postfix) with ESMTPS for ; Thu, 11 Dec 2014 14:46:20 +0100 (CET) Received: from shredder.zuver.net.au ([110.232.141.216]) by se2-syd.hostedmail.net.au with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1Xz45w-0002Xn-J8 for openwrt-devel@lists.openwrt.org; Fri, 12 Dec 2014 00:48:03 +1100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=andrewmcdonnell.net; s=default; h=Message-Id:Date:Subject:Cc:To:From; bh=1VYy4Gv5r+sv6FiAW3XUSXnN5vZBrmGKity0rPGso04=; b=ieKIEUUWhskreFDG0X30dCvrbDf1ncJOk5Gml5OwGazDz3foF1Uftu21TYNsfqv/AlA5oHARByHrlAIuYEEuQPh1r0gJUEek1bCvuvgXtCSD12lVbOkZXRQHXc1TzrHuhyCuskiAcvPF+3FlmZ/B7eMnujFcHuJC6+NNo9OY7sc=; Received: from 180-150-66-19.cust.aussiebb.net ([180.150.66.19]:42242 helo=atlantis4.eaglenest.lan) by shredder.zuver.net.au with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1Xz45q-002IRO-Vw; Fri, 12 Dec 2014 00:47:47 +1100 From: Andrew McDonnell To: openwrt-devel@lists.openwrt.org Date: Fri, 12 Dec 2014 00:17:45 +1030 Message-Id: <1418305665-1537-1-git-send-email-bugs@andrewmcdonnell.net> X-Mailer: git-send-email 1.9.1 X-AuthUser: bugs@andrewmcdonnell.net X-Filter-ID: s0sct1PQhAABKnZB5plbIcxGSkNS81aQyUMe3KGmNDWuw2nx/+//hw1dQjjX1TEcGAKiUP0o7tio 6w7UDvOiv4tlzKYQat+GdHEOXnt4eylpMvJ5FrVGOMg3vANssC24bX/3TQnYbqlNHxpi9XBHG8Jz 8WfReHqUOdh1n/PPcFxYrgVtmNkRjS7WSS96w3hMO1F/C6Q9Yq0LxU2jBXGubFz1pRXWhjh9fdbl 44I0Df1iLujf+/cmLguApE9wzd558Q6LA32kE8CChzYAus5Cm1yHWq4Q1GpxlayWHq8uoXUs1icP Jww95iLNxDtrsB7Un+jn8PO9iE0+zw7paSSW+SLpQCk9LN96ieg5guM8uFh/trBuDiQDHmyKFFmu jrjwNtcFNIQbbPT0Lp9kDUtPtu638ZfM+Epe+EMIGGLOahDMy61ez1gIZpQyjMc2JskkuvubLoM9 xNj1+iIIyYZfT9R/VRawXs9xrquWHwl4mmYBbapBffof8ZbjRi48kxww+CA5nmkWNDZ0lYiTGJ5L I29SBUNmFd7gMQLKlM9OMSvarSwp6d0h7IaDrIWjNnJHtTFiDt4NBSgZtvOzXzjBnjUOLU+pxPQL zRg0uAKVk9CSvpPnwTcvYPnEE7wsawUE5+ZuqS7W6j1MtYp0l1elIhqdy2aGpS7eZQ/46+DjlMVA 6z19La+IK9o4bTFrXZGjMMo+ukQwqBLMnltKWzugbxNoazvUBoss+PG0pRBWj3g= X-Report-Abuse-To: spam@se1-syd.hostedmail.net.au X-Filter-Fingerprint: IFrWXGses7OKB5S5G8/dJdF8bCbRCAhGucQF+2hmonpA3cTUQ1R++keuE7RDJ8Kg3RbMLUalw1oC mj99/u+PoqoVy8a3lsStJtAvpObFX0Wok1JBYnOLzfRIhlEHQynLUpndEJ0YoaLytXXo8BMTaX2p Mk7LBarWD9Fj4R3eIu4Bsml81rA/gHhLEtACALmR2r83SaUpVf3f5cYLuhfrp46k+SFrDntuK6+0 Vn93d6+oPBu9yrChLQLIzYMZ2Wci X-Originating-IP: 110.232.141.216 X-SpamExperts-Domain: out.zuver.net.au X-SpamExperts-Username: 110.232.141.216 Authentication-Results: hostedmail.net.au; auth=pass smtp.auth=110.232.141.216 X-SpamExperts-Outgoing-Class: ham X-SpamExperts-Outgoing-Evidence: Combined (0.02) X-Recommended-Action: accept Cc: Andrew McDonnell Subject: [OpenWrt-Devel] [PATCH] iwinfo: Fix incorrect buffer allocation in nl80211_get_ifcomb_cb() X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openwrt-devel-bounces@lists.openwrt.org Sender: "openwrt-devel" This fixes a buffer overwrite, I found it when building with SSP enabled --- iwinfo_nl80211.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/iwinfo_nl80211.c b/iwinfo_nl80211.c index 2731b2b..be58c56 100644 --- a/iwinfo_nl80211.c +++ b/iwinfo_nl80211.c @@ -2446,15 +2446,15 @@ static int nl80211_get_ifcomb_cb(struct nl_msg *msg, void *arg) [NL80211_IFACE_COMB_LIMITS] = { .type = NLA_NESTED }, [NL80211_IFACE_COMB_MAXNUM] = { .type = NLA_U32 }, }; - struct nlattr *tb_comb[NUM_NL80211_IFACE_COMB]; + struct nlattr *tb_comb[NUM_NL80211_IFACE_COMB+1]; static struct nla_policy iface_limit_policy[NUM_NL80211_IFACE_LIMIT] = { [NL80211_IFACE_LIMIT_TYPES] = { .type = NLA_NESTED }, [NL80211_IFACE_LIMIT_MAX] = { .type = NLA_U32 }, }; - struct nlattr *tb_limit[NUM_NL80211_IFACE_LIMIT]; + struct nlattr *tb_limit[NUM_NL80211_IFACE_LIMIT+1]; struct nlattr *limit; - nla_parse_nested(tb_comb, NL80211_BAND_ATTR_MAX, comb, iface_combination_policy); + nla_parse_nested(tb_comb, NUM_NL80211_IFACE_COMB, comb, iface_combination_policy); if (!tb_comb[NL80211_IFACE_COMB_LIMITS]) continue;