DragonFlyBSD Kernel Audit
DF-0291 / fix.diff
← back to finding ↓ download raw
diff --git a/sys/netproto/802_11/wlan/ieee80211_ioctl.c b/sys/netproto/802_11/wlan/ieee80211_ioctl.c
--- a/sys/netproto/802_11/wlan/ieee80211_ioctl.c
+++ b/sys/netproto/802_11/wlan/ieee80211_ioctl.c
@@ -807,6 +807,11 @@
 		case IEEE80211_S_INIT:
 		case IEEE80211_S_SCAN:
 			ireq->i_len = vap->iv_des_ssid[0].len;
+			/* defense-in-depth: clamp to stack buffer size (root cause
+			 * is the missing clamp in setmlme_assoc_adhoc above, but
+			 * never trust a stored length with a fixed stack sink) */
+			if (ireq->i_len > IEEE80211_NWID_LEN)
+				ireq->i_len = IEEE80211_NWID_LEN;
 			memcpy(tmpssid, vap->iv_des_ssid[0].ssid, ireq->i_len);
 			break;
 		default:
@@ -1577,7 +1582,7 @@
 	    ("expected opmode IBSS or AHDEMO not %s",
 	    ieee80211_opmode_name[vap->iv_opmode]));
 
-	if (ssid_len == 0)
+	if (ssid_len == 0 || ssid_len > IEEE80211_NWID_LEN)
 		return EINVAL;
 
 #if defined(__DragonFly__)