Please note: This project is no longer active. The website is kept online for historic purposes only.
If you´re looking for a Linux driver for your Atheros WLAN device, you should continue here .

Ticket #1092 (assigned defect)

Opened 13 years ago

Last modified 13 years ago

Stack corruption in XR mode

Reported by: rajendra Assigned to: scottr (accepted)
Priority: minor Milestone: version 0.9.x - progressive release candidate phase
Component: madwifi: driver Version: trunk
Keywords: xr Cc:
Patch is attached: 0 Pending:

Description (Last modified by mrenzmann)

Hi All,

I was getting crashes when I was enabling XR (iwpriv ath0 xr 1) (AP mode). I traced it to a stack corruption in ath_grppoll_start. Following code writes to "rates" array more than the allocates space.

        while (sscanf(&(sc->sc_grppoll_str[pos]), "%s %s", ratestr, numpollstr) == 2) {
5971 	                int rtx = 0;
5972 	                while (ratestrmap[rtx].ratekbps != 0) {
5973 	                        if (strcmp(ratestrmap[rtx].str, ratestr) == 0)
5974 	                                break;
5975 	                        rtx++;
5976 	                }int rates[XR_NUM_RATES];
5977 	                sscanf(numpollstr, "%d", &(rates[rtx]));
5978 	                pos += strlen(ratestr) + strlen(numpollstr) + 2;
5979 	        }

rtx varies from 0 to 7 while "rates" is declared as int rates[XR_NUM_RATES]; (XR_NUM_RATES=5).

The crash goes away after making the following change.

  while(sscanf(&(sc->sc_grppoll_str[pos]),"%s %s",ratestr,numpollstr) == 2) {
        int i=0, duplicate = 0;
        while(ratestrmap[i].ratekbps != 0) {
            if(strcmp(ratestrmap[i].str,ratestr) == 0 )
                break;
            ++i;
            if (ratestrmap[i].ratekbps == ratestrmap[i-1].ratekbps)
                duplicate++;
        }
        sscanf(numpollstr,"%d",&(rates[i-duplicate]));
        pos += strlen(ratestr) + strlen(numpollstr) + 2;
    }

Attachments

xr.diff (0.7 kB) - added by rozteck@interia.pl on 01/16/07 09:43:08.
If have turned this into a patch. To make it available for people like me. Let the author sign it off if he wants or upload the patch again

Change History

01/16/07 02:57:44 changed by scottr

  • priority changed from major to minor.
  • milestone set to version 0.9.x - progressive release candidate phase.

Thanks for the feedback. If you could turn this into a patch (just use svn diff > xr.patch), attach it to the ticket and sign off (wiki:DevDocs/SigningPatches), we'll get it committed into trunk.

Thanks!

01/16/07 06:20:30 changed by mrenzmann

  • description changed.

01/16/07 09:43:08 changed by rozteck@interia.pl

  • attachment xr.diff added.

If have turned this into a patch. To make it available for people like me. Let the author sign it off if he wants or upload the patch again

01/16/07 09:54:23 changed by rozteck@interia.pl

After a short test I can tell that this patch seems to solve the crashes I got when setting xr.

01/17/07 00:40:25 changed by scottr

  • status changed from new to assigned.
  • owner set to scottr.

Thanks. We'll commit as soon as it's signed off. Cheers.