DF-0326 / fix.diff
diff --git a/sys/netproto/802_11/wlan/ieee80211_node.c b/sys/netproto/802_11/wlan/ieee80211_node.c --- a/sys/netproto/802_11/wlan/ieee80211_node.c +++ b/sys/netproto/802_11/wlan/ieee80211_node.c @@ -812,7 +812,8 @@ * XXX may not need all this stuff */ IEEE80211_ADDR_COPY(ni->ni_bssid, se->se_bssid); - ni->ni_esslen = se->se_ssid[1]; + /* DF-0326: clamp attacker-controlled SSID length to the buffer. */ + ni->ni_esslen = MIN(se->se_ssid[1], IEEE80211_NWID_LEN); memcpy(ni->ni_essid, se->se_ssid+2, ni->ni_esslen); ni->ni_tstamp.tsf = se->se_tstamp.tsf; ni->ni_intval = se->se_intval; @@ -1518,8 +1519,8 @@ { int do_ht_setup = 0; - ni->ni_esslen = sp->ssid[1]; - memcpy(ni->ni_essid, sp->ssid + 2, sp->ssid[1]); + ni->ni_esslen = MIN(sp->ssid[1], IEEE80211_NWID_LEN); + memcpy(ni->ni_essid, sp->ssid + 2, ni->ni_esslen); IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3); memcpy(ni->ni_tstamp.data, sp->tstamp, sizeof(ni->ni_tstamp)); ni->ni_intval = sp->bintval; diff --git a/sys/netproto/802_11/wlan/ieee80211_scan_sta.c b/sys/netproto/802_11/wlan/ieee80211_scan_sta.c --- a/sys/netproto/802_11/wlan/ieee80211_scan_sta.c +++ b/sys/netproto/802_11/wlan/ieee80211_scan_sta.c @@ -281,7 +281,8 @@ /* XXX ap beaconing multiple ssid w/ same bssid */ if (sp->ssid[1] != 0 && (ISPROBE(subtype) || ise->se_ssid[1] == 0)) - memcpy(ise->se_ssid, sp->ssid, 2+sp->ssid[1]); + memcpy(ise->se_ssid, sp->ssid, + 2 + MIN(sp->ssid[1], IEEE80211_NWID_LEN)); KASSERT(sp->rates[1] <= IEEE80211_RATE_MAXSIZE, ("rate set too large: %u", sp->rates[1])); memcpy(ise->se_rates, sp->rates, 2+sp->rates[1]); |