Ticket #1024 (closed defect: fixed)

Opened 5 years ago

Last modified 5 years ago

[patch] wrong parameter passing in IEEE80211_IOCTL_GET_APPIEBUF (r1822)

Reported by: zdarsky@informatik.uni-kl.de Assigned to:
Priority: major Milestone: version 0.9.3
Component: madwifi: 802.11 stack Version: trunk
Keywords: Cc:
Patch is attached: 1 Pending:

Description

There seems to be a bug in the way ieee80211_ioctl_getappiebuf() (added in r1756) handles parameters: The function expects the frame type and the buffer length to be passed via the "char* extra" parameter. However, since this specific IOCTL has a GET-only semantic, "extra" points to an uninitialized memory region in kernel-space allocated by the wireless extensions instead.

I've attached a small patch against trunk r1822 as a work-around for this problem. It takes the needed parameters from "struct iw_point*" and also ensures a correct return value for the buffer length, so that the wireless extensions do not copy uninitialized kernel memory back into user space.

I would appreciate if someone more knowledgeable could double-check this patch. Furthermore, the following issues seem to require further follow-up/discussions:

  • IEEE80211_IOCTL_[SG]ET_APPIEBUF allow to pass a total of IEEE_APPIE_MAX (=1024 bytes). As the ieee80211req_getset_appiebuf struct requires 8 bytes already, the remaining IE buffer length must be limited to 1016 bytes.
  • This new IOCTL interface seems to make IEEE_IOCTL_[SG]ETOPTIE redundant. Any plans to remove these and save some scarce private ioctls?
  • Other IOCTLs ieee80211_ioctl_getparam (and potentially other functions) seem to read from "*extra" as well. Haven't looked further into this, though.

Signed-off-by: Frank Zdarsky <zdarsky@informatik.uni-kl.de>

Attachments

getappiebuf.patch (1.4 kB) - added by zdarsky@informatik.uni-kl.de on 11/27/06 20:40:19.
getappiebuf.2.patch (2.2 kB) - added by zdarsky@informatik.uni-kl.de on 12/15/06 10:58:02.
updated patch with more error checks (replaces previous one)

Change History

11/27/06 20:40:19 changed by zdarsky@informatik.uni-kl.de

  • attachment getappiebuf.patch added.

11/28/06 07:08:20 changed by mrenzmann

  • milestone set to version 0.9.3.

12/08/06 18:13:15 changed by mrenzmann

Objections against committing this patch, anyone? Speak up now.

12/15/06 10:58:02 changed by zdarsky@informatik.uni-kl.de

  • attachment getappiebuf.2.patch added.

updated patch with more error checks (replaces previous one)

12/15/06 11:08:16 changed by anonymous

I've increased the maximum size of the parameter for IEEE80211_IOCTL_GET_APPIEBUF, since Intel's WSC Linux* Reference Implementation (the reason for the original patch) expects max. IE lengths of 1024 and we need additional 8 bytes for control info (see above). Also added some more error checking. New patch is against r1860.

Signed-off-by: Frank Zdarsky <zdarsky@informatik.uni-kl.de>

02/06/07 14:19:59 changed by kelmo

  • status changed from new to closed.
  • resolution set to fixed.

Applied to r2077.

Add/Change #1024 ([patch] wrong parameter passing in IEEE80211_IOCTL_GET_APPIEBUF (r1822))