cvs commit: src/sbin/ifconfig ifieee80211.c
Sepherosa Ziehau
sephe at crater.dragonflybsd.org
Fri Dec 8 06:27:50 PST 2006
sephe 2006/12/08 06:25:07 PST
DragonFly src repository
Modified files:
sbin/ifconfig ifieee80211.c
Log:
Fix a stack overflow in ifconfig(8).
The stack overflow happens, if "-" is passed as the argument to 'ssid' or
'wepkey' commands. The offender is ifieee80211.c:get_string()'s "-" special
handling:
...
len = p - buf;
/* The string "-" is treated as the empty string. */
if (!hexstr && len == 1 && buf[0] == '-')
len = 0;
if (len < *lenp)
memset(p, 0, *lenp - len);
...
If the string is "-", the 'p' will be 1 byte beyound 'buf' and 'len' is set to
0. 'len' must be less than '*lenp' here, so memset() will be called. But the
length, used to clear the buffer, is 1 byte larger the buffer pointed by 'p'
Revision Changes Path
1.17 +2 -2 src/sbin/ifconfig/ifieee80211.c
http://www.dragonflybsd.org/cvsweb/src/sbin/ifconfig/ifieee80211.c.diff?r1=1.16&r2=1.17&f=u
More information about the Commits
mailing list