From pa4dan@Vitsch.net  Mon Nov 29 11:54:03 2004
Return-Path: <pa4dan@Vitsch.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 83ADE16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 29 Nov 2004 11:54:03 +0000 (GMT)
Received: from amsfep14-int.chello.nl (amsfep14-int.chello.nl [213.46.243.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C16ED43D1F
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 29 Nov 2004 11:54:01 +0000 (GMT)
	(envelope-from pa4dan@Vitsch.net)
Received: from Vitsch.net ([212.187.78.35]) by amsfep14-int.chello.nl
          (InterMail vM.6.01.03.04 201-2131-111-106-20040729) with ESMTP
          id <20041129115359.LHWW28162.amsfep14-int.chello.nl@Vitsch.net>
          for <FreeBSD-gnats-submit@freebsd.org>;
          Mon, 29 Nov 2004 12:53:59 +0100
Received: (from pa4dan@localhost)
	by Vitsch.net (8.12.3p2/8.11.3) id iATBrMmk091706;
	Mon, 29 Nov 2004 12:53:22 +0100 (CET)
	(envelope-from pa4dan)
Message-Id: <200411291153.iATBrMmk091706@Vitsch.net>
Date: Mon, 29 Nov 2004 12:53:22 +0100 (CET)
From: "Daan Vreeken [PA4DAN]" <Danovitsch@Vitsch.net>
Reply-To: "Daan Vreeken [PA4DAN]" <Danovitsch@Vitsch.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] ifconfig allows setting 33-byte SSID
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         74509
>Category:       bin
>Synopsis:       [PATCH] ifconfig allows setting 33-byte SSID
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    brooks
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 29 12:00:51 GMT 2004
>Closed-Date:    Wed Jan 11 05:57:16 GMT 2006
>Last-Modified:  Wed Jan 11 05:57:16 GMT 2006
>Originator:     Daan Vreeken [PA4DAN]
>Release:        FreeBSD 5.3-RELEASE i386
>Organization:
>Environment:
System: FreeBSD Racebeest.Danovitsch.LAN 5.3-RELEASE FreeBSD 5.3-RELEASE #4: Fri Nov 26 18:18:21 CET 2004 root@Racebeest.Danovitsch.LAN:/usr/src.5.3-release/sys/i386/compile/Laptop i386


	
>Description:
	Ifconfig allows setting an SSID of 33-bytes. set80211ssid() calls
get_string() to read & verify the SSID argument. get_string() checks the
length of the given SSID argument, but fails because set80211ssid() passes a
33-byte buffer to it instead of a 32-byte buffer.

>How-To-Repeat:

	Try the following commands to any interface :

	# ifconfig atuwi0 ssid 12345678901234567890123456789012
	(Setting a 32-byte SSID. No errors, correct)

	# ifconfig atuwi0 ssid 123456789012345678901234567890123
	ifconfig: SIOCS80211: Invalid argument
	(Setting a 33-byte SSID. The interface driver returns an error.
	ifconfig should have complained here about the length)

	# ifconfig atuwi0 ssid 1234567890123456789012345678901234
	ifconfig: string too long
	ifconfig: SIOCS80211: Invalid argument
	(Setting a 34-byte SSID. Ifconfig complains about the SSID being too
	long, but continues to set the first 33-bytes of the SSID. The driver
	complains again. I think ifconfig should have bailed out when it
	detected the SSID was too long, instead of setting the first part.)

>Fix:

	Apply the given patch to -current. This patch changes the ssid
	buffer size to 32 bytes so get_string() will detect string > 32 bytes
	correctly. The second part of the patch makes set80211ssid() return
	if the SSID was too long, instead of setting the first 32 bytes.

	There are a couple of other bugs still in the ifconfig code. I would
	like to know who I can contact to discuss them.


--- ifconfig_ifieee80211_ssid_len.diff begins here ---
--- ifieee80211.c.org	Mon Nov 29 10:05:09 2004
+++ ifieee80211.c	Mon Nov 29 11:29:56 2004
@@ -100,7 +100,7 @@
 {
 	int		ssid;
 	int		len;
-	u_int8_t	data[33];
+	u_int8_t	data[32];
 
 	ssid = 0;
 	len = strlen(val);
@@ -111,8 +111,9 @@
 
 	bzero(data, sizeof(data));
 	len = sizeof(data);
-	get_string(val, NULL, data, &len);
-
+	if (get_string(val, NULL, data, &len) == NULL)
+		return;
+	
 	set80211(s, IEEE80211_IOC_SSID, ssid, len, data);
 }
 
--- ifconfig_ifieee80211_ssid_len.diff ends here ---


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->patched 
State-Changed-By: brooks 
State-Changed-When: Sun Oct 30 16:31:29 GMT 2005 
State-Changed-Why:  
Committed a similar fix to HEAD. 


Responsible-Changed-From-To: freebsd-bugs->brooks 
Responsible-Changed-By: brooks 
Responsible-Changed-When: Sun Oct 30 16:31:29 GMT 2005 
Responsible-Changed-Why:  
Committed a similar fix to HEAD. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=74509 
State-Changed-From-To: patched->closed 
State-Changed-By: brooks 
State-Changed-When: Wed Jan 11 05:57:03 UTC 2006 
State-Changed-Why:  
Merged to RELENG_5 and RELENG_6. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=74509 
>Unformatted:
