DF-0291 / fix.diff
diff --git a/sys/netproto/802_11/wlan/ieee80211_ioctl.c b/sys/netproto/802_11/wlan/ieee80211_ioctl.c --- a/sys/netproto/802_11/wlan/ieee80211_ioctl.c +++ b/sys/netproto/802_11/wlan/ieee80211_ioctl.c @@ -807,6 +807,11 @@ case IEEE80211_S_INIT: case IEEE80211_S_SCAN: ireq->i_len = vap->iv_des_ssid[0].len; + /* defense-in-depth: clamp to stack buffer size (root cause + * is the missing clamp in setmlme_assoc_adhoc above, but + * never trust a stored length with a fixed stack sink) */ + if (ireq->i_len > IEEE80211_NWID_LEN) + ireq->i_len = IEEE80211_NWID_LEN; memcpy(tmpssid, vap->iv_des_ssid[0].ssid, ireq->i_len); break; default: @@ -1577,7 +1582,7 @@ ("expected opmode IBSS or AHDEMO not %s", ieee80211_opmode_name[vap->iv_opmode])); - if (ssid_len == 0) + if (ssid_len == 0 || ssid_len > IEEE80211_NWID_LEN) return EINVAL; #if defined(__DragonFly__) |