Date: Mon, 29 Nov 2004 12:53:22 +0100 (CET) From: "Daan Vreeken [PA4DAN]" <Danovitsch@Vitsch.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/74509: [PATCH] ifconfig allows setting 33-byte SSID Message-ID: <200411291153.iATBrMmk091706@Vitsch.net> Resent-Message-ID: <200411291200.iATC0poH024369@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 74509
>Category: bin
>Synopsis: [PATCH] ifconfig allows setting 33-byte SSID
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Nov 29 12:00:51 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Daan Vreeken [PA4DAN]
>Release: FreeBSD 5.3-RELEASE i386
>Organization:
>Environment:
System: FreeBSD Racebeest.Danovitsch.LAN 5.3-RELEASE FreeBSD 5.3-RELEASE #4: Fri Nov 26 18:18:21 CET 2004 root@Racebeest.Danovitsch.LAN:/usr/src.5.3-release/sys/i386/compile/Laptop i386
>Description:
Ifconfig allows setting an SSID of 33-bytes. set80211ssid() calls
get_string() to read & verify the SSID argument. get_string() checks the
length of the given SSID argument, but fails because set80211ssid() passes a
33-byte buffer to it instead of a 32-byte buffer.
>How-To-Repeat:
Try the following commands to any interface :
# ifconfig atuwi0 ssid 12345678901234567890123456789012
(Setting a 32-byte SSID. No errors, correct)
# ifconfig atuwi0 ssid 123456789012345678901234567890123
ifconfig: SIOCS80211: Invalid argument
(Setting a 33-byte SSID. The interface driver returns an error.
ifconfig should have complained here about the length)
# ifconfig atuwi0 ssid 1234567890123456789012345678901234
ifconfig: string too long
ifconfig: SIOCS80211: Invalid argument
(Setting a 34-byte SSID. Ifconfig complains about the SSID being too
long, but continues to set the first 33-bytes of the SSID. The driver
complains again. I think ifconfig should have bailed out when it
detected the SSID was too long, instead of setting the first part.)
>Fix:
Apply the given patch to -current. This patch changes the ssid
buffer size to 32 bytes so get_string() will detect string > 32 bytes
correctly. The second part of the patch makes set80211ssid() return
if the SSID was too long, instead of setting the first 32 bytes.
There are a couple of other bugs still in the ifconfig code. I would
like to know who I can contact to discuss them.
--- ifconfig_ifieee80211_ssid_len.diff begins here ---
--- ifieee80211.c.org Mon Nov 29 10:05:09 2004
+++ ifieee80211.c Mon Nov 29 11:29:56 2004
@@ -100,7 +100,7 @@
{
int ssid;
int len;
- u_int8_t data[33];
+ u_int8_t data[32];
ssid = 0;
len = strlen(val);
@@ -111,8 +111,9 @@
bzero(data, sizeof(data));
len = sizeof(data);
- get_string(val, NULL, data, &len);
-
+ if (get_string(val, NULL, data, &len) == NULL)
+ return;
+
set80211(s, IEEE80211_IOC_SSID, ssid, len, data);
}
--- ifconfig_ifieee80211_ssid_len.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411291153.iATBrMmk091706>