DragonFlyBSD Kernel Audit
DF-0326 / fix.diff
← back to finding ↓ download raw
diff --git a/sys/netproto/802_11/wlan/ieee80211_node.c b/sys/netproto/802_11/wlan/ieee80211_node.c
--- a/sys/netproto/802_11/wlan/ieee80211_node.c
+++ b/sys/netproto/802_11/wlan/ieee80211_node.c
@@ -812,7 +812,8 @@
 	 * XXX may not need all this stuff
 	 */
 	IEEE80211_ADDR_COPY(ni->ni_bssid, se->se_bssid);
-	ni->ni_esslen = se->se_ssid[1];
+	/* DF-0326: clamp attacker-controlled SSID length to the buffer. */
+	ni->ni_esslen = MIN(se->se_ssid[1], IEEE80211_NWID_LEN);
 	memcpy(ni->ni_essid, se->se_ssid+2, ni->ni_esslen);
 	ni->ni_tstamp.tsf = se->se_tstamp.tsf;
 	ni->ni_intval = se->se_intval;
@@ -1518,8 +1519,8 @@
 {
 	int do_ht_setup = 0;
 
-	ni->ni_esslen = sp->ssid[1];
-	memcpy(ni->ni_essid, sp->ssid + 2, sp->ssid[1]);
+	ni->ni_esslen = MIN(sp->ssid[1], IEEE80211_NWID_LEN);
+	memcpy(ni->ni_essid, sp->ssid + 2, ni->ni_esslen);
 	IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
 	memcpy(ni->ni_tstamp.data, sp->tstamp, sizeof(ni->ni_tstamp));
 	ni->ni_intval = sp->bintval;
diff --git a/sys/netproto/802_11/wlan/ieee80211_scan_sta.c b/sys/netproto/802_11/wlan/ieee80211_scan_sta.c
--- a/sys/netproto/802_11/wlan/ieee80211_scan_sta.c
+++ b/sys/netproto/802_11/wlan/ieee80211_scan_sta.c
@@ -281,7 +281,8 @@
 	/* XXX ap beaconing multiple ssid w/ same bssid */
 	if (sp->ssid[1] != 0 &&
 	    (ISPROBE(subtype) || ise->se_ssid[1] == 0))
-		memcpy(ise->se_ssid, sp->ssid, 2+sp->ssid[1]);
+		memcpy(ise->se_ssid, sp->ssid,
+		    2 + MIN(sp->ssid[1], IEEE80211_NWID_LEN));
 	KASSERT(sp->rates[1] <= IEEE80211_RATE_MAXSIZE,
 		("rate set too large: %u", sp->rates[1]));
 	memcpy(ise->se_rates, sp->rates, 2+sp->rates[1]);