cvs commit: src/sbin/ifconfig ifieee80211.c

Sepherosa Ziehau sephe at crater.dragonflybsd.org
Fri Dec 8 06:27:50 PST 2006


sephe       2006/12/08 06:25:07 PST

DragonFly src repository

  Modified files:
    sbin/ifconfig        ifieee80211.c 
  Log:
  Fix a stack overflow in ifconfig(8).
  
  The stack overflow happens, if "-" is passed as the argument to 'ssid' or
  'wepkey' commands.  The offender is ifieee80211.c:get_string()'s "-" special
  handling:
  ...
  	len = p - buf;
  	/* The string "-" is treated as the empty string. */
  	if (!hexstr && len == 1 && buf[0] == '-')
  		len = 0;
  	if (len < *lenp)
  		memset(p, 0, *lenp - len);
  ...
  
  If the string is "-", the 'p' will be 1 byte beyound 'buf' and 'len' is set to
  0.  'len' must be less than '*lenp' here, so memset() will be called.  But the
  length, used to clear the buffer, is 1 byte larger the buffer pointed by 'p'
  
  Revision  Changes    Path
  1.17      +2 -2      src/sbin/ifconfig/ifieee80211.c


http://www.dragonflybsd.org/cvsweb/src/sbin/ifconfig/ifieee80211.c.diff?r1=1.16&r2=1.17&f=u





More information about the Commits mailing list