From: Jean Tourrilhes <jt@hpl•hp.com>
To: Andrew Morton <akpm@osdl•org>, Pavel Roskin <proski@gnu•org>
Cc: Valdis.Kletnieks@vt•edu,
"John W. Linville" <linville@tuxdriver•com>,
linux-kernel@vger•kernel.org, netdev@vger•kernel.org
Subject: Re: 2.6.18-mm2 - oops in cache_alloc_refill()
Date: Mon, 2 Oct 2006 10:52:45 -0700 [thread overview]
Message-ID: <20061002175245.GA14744@bougret.hpl.hp.com> (raw)
In-Reply-To: <20060929182008.fee2a229.akpm@osdl.org>
On Fri, Sep 29, 2006 at 06:20:08PM -0700, Andrew Morton wrote:
> On Fri, 29 Sep 2006 20:01:54 -0400
> >
> > % grep ioctl /tmp/foo2 | sort -u | more
> > ioctl(13, SIOCGIWESSID, 0xbfbcdb9c) = 0
> > ioctl(13, SIOCGIWRANGE, 0xbfbcdbdc) = 0
> > ioctl(13, SIOCGIWRATE, 0xbfbcdbbc) = 0
>
> Yes. The main thing which those WE-21 patches do is to shorten the size of
> various buffers which are used in wireless ioctls.
Ok, I've found it. Actually, I feel ashamed, as it is a fairly
classical buffer overflow, we put one extra char in a buffer. Now, I
don't understand why it did not blow up on my box ;-)
New patch. I think it is right, but I would not mind Pavel to
have a look at it. On my box it does not make thing worse.
Valdis : would you mind trying if this patch fix the problem
you are seeing with WE-21 ? If it fixes it, I'll send it to John...
Have fun...
Jean
P.S. : I'll audit the other wireless drivers for the same thing.
-------------------------------------------------
diff -u -p linux/drivers/net/wireless/orinoco.j1.c linux/drivers/net/wireless/orinoco.c
--- linux/drivers/net/wireless/orinoco.j1.c 2006-10-02 10:15:41.000000000 -0700
+++ linux/drivers/net/wireless/orinoco.c 2006-10-02 10:39:20.000000000 -0700
@@ -2456,6 +2456,7 @@ void free_orinocodev(struct net_device *
/* Wireless extensions */
/********************************************************************/
+/* Return : < 0 -> error code ; >= 0 -> length */
static int orinoco_hw_get_essid(struct orinoco_private *priv, int *active,
char buf[IW_ESSID_MAX_SIZE+1])
{
@@ -2500,9 +2501,9 @@ static int orinoco_hw_get_essid(struct o
len = le16_to_cpu(essidbuf.len);
BUG_ON(len > IW_ESSID_MAX_SIZE);
- memset(buf, 0, IW_ESSID_MAX_SIZE+1);
+ memset(buf, 0, IW_ESSID_MAX_SIZE);
memcpy(buf, p, len);
- buf[len] = '\0';
+ err = len;
fail_unlock:
orinoco_unlock(priv, &flags);
@@ -3026,17 +3027,18 @@ static int orinoco_ioctl_getessid(struct
if (netif_running(dev)) {
err = orinoco_hw_get_essid(priv, &active, essidbuf);
- if (err)
+ if (err < 0)
return err;
+ erq->length = err;
} else {
if (orinoco_lock(priv, &flags) != 0)
return -EBUSY;
- memcpy(essidbuf, priv->desired_essid, IW_ESSID_MAX_SIZE + 1);
+ memcpy(essidbuf, priv->desired_essid, IW_ESSID_MAX_SIZE);
+ erq->length = strlen(priv->desired_essid);
orinoco_unlock(priv, &flags);
}
erq->flags = 1;
- erq->length = strlen(essidbuf);
return 0;
}
@@ -3074,10 +3076,10 @@ static int orinoco_ioctl_getnick(struct
if (orinoco_lock(priv, &flags) != 0)
return -EBUSY;
- memcpy(nickbuf, priv->nick, IW_ESSID_MAX_SIZE+1);
+ memcpy(nickbuf, priv->nick, IW_ESSID_MAX_SIZE);
orinoco_unlock(priv, &flags);
- nrq->length = strlen(nickbuf);
+ nrq->length = strlen(priv->nick);
return 0;
}
next prev parent reply other threads:[~2006-10-02 17:56 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20060928014623.ccc9b885.akpm@osdl.org>
[not found] ` <efh217$8au$1@sea.gmane.org>
2006-09-28 21:01 ` 2.6.18-mm2 Andrew Morton
2006-09-28 22:45 ` 2.6.18-mm2 Stephen Hemminger
2006-10-04 13:42 ` 2.6.18-mm2 boot failure on x86-64 Steve Fox
2006-10-04 15:45 ` Andrew Morton
2006-10-04 15:55 ` Vivek Goyal
2006-10-04 15:56 ` Andi Kleen
2006-10-05 1:57 ` Keith Mannthey
2006-10-04 16:41 ` Steve Fox
2006-10-05 0:06 ` Andrew Morton
2006-10-05 0:51 ` Vivek Goyal
2006-10-05 0:57 ` Andi Kleen
2006-10-05 1:08 ` Martin Bligh
2006-10-05 2:05 ` Keith Mannthey
2006-10-05 14:53 ` Steve Fox
2006-10-05 15:12 ` Badari Pulavarty
2006-10-05 15:32 ` Steve Fox
2006-10-05 15:40 ` Andi Kleen
2006-10-05 17:57 ` Steve Fox
2006-10-05 18:27 ` Andi Kleen
2006-10-05 18:51 ` Steve Fox
2006-10-05 19:05 ` Andi Kleen
2006-10-05 20:42 ` Steve Fox
2006-10-05 20:50 ` Andi Kleen
2006-10-06 2:23 ` Steve Fox
2006-10-06 14:33 ` Mel Gorman
2006-10-06 15:36 ` Vivek Goyal
2006-10-06 17:11 ` Mel Gorman
2006-10-06 17:34 ` Vivek Goyal
2006-10-06 17:59 ` Vivek Goyal
2006-10-06 18:03 ` Steve Fox
2006-10-06 20:04 ` Vivek Goyal
2006-10-09 9:53 ` Mel Gorman
2006-10-16 18:16 ` Vivek Goyal
2006-10-16 23:58 ` Andrew Morton
2006-10-17 12:18 ` Adrian Bunk
2006-10-17 17:32 ` Mel Gorman
2006-10-05 18:52 ` Vivek Goyal
2006-10-05 19:08 ` Andi Kleen
2006-10-05 20:25 ` Steve Fox
2006-10-05 20:39 ` Mel Gorman
2006-10-05 20:51 ` Andi Kleen
2006-10-05 23:14 ` 2.6.18-mm2 boot failure on x86-64 II Andi Kleen
2006-10-05 23:32 ` keith mannthey
2006-10-05 23:35 ` Andi Kleen
2006-10-05 23:58 ` keith mannthey
2006-10-06 0:02 ` Badari Pulavarty
2006-10-06 0:12 ` Andrew Morton
[not found] ` <200609290319.k8T3JOwS005455@turing-police.cc.vt.edu>
[not found] ` <20060928202931.dc324339.akpm@osdl.org>
[not found] ` <200609291519.k8TFJfvw004256@turing-police.cc.vt.edu>
[not found] ` <20060929124558.33ef6c75.akpm@osdl.org>
2006-09-30 0:01 ` 2.6.18-mm2 - oops in cache_alloc_refill() Valdis.Kletnieks
2006-09-30 1:20 ` Andrew Morton
2006-09-30 1:33 ` Jean Tourrilhes
2006-09-30 3:31 ` Valdis.Kletnieks
2006-09-30 7:50 ` Valdis.Kletnieks
2006-09-30 8:33 ` Andrew Morton
2006-09-30 1:40 ` Jean Tourrilhes
2006-09-30 3:31 ` Valdis.Kletnieks
2006-09-30 1:57 ` Makefile for linux modules x z
2006-09-30 8:55 ` Sam Ravnborg
2006-09-30 1:59 ` x z
2006-10-02 17:52 ` Jean Tourrilhes [this message]
2006-10-02 19:57 ` 2.6.18-mm2 - oops in cache_alloc_refill() Valdis.Kletnieks
2006-10-03 15:58 ` Samuel Tardieu
2006-10-03 16:34 ` Jean Tourrilhes
2006-10-03 16:45 ` Samuel Tardieu
2006-10-03 17:07 ` Jean Tourrilhes
2006-10-05 22:37 ` Pavel Roskin
2006-10-05 22:42 ` Jean Tourrilhes
[not found] ` <20060930133706.GA3291@melchior.yamamaya.is-a-geek.org>
2006-09-30 19:53 ` 2.6.18-mm2 Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061002175245.GA14744@bougret.hpl.hp.com \
--to=jt@hpl$(echo .)hp.com \
--cc=Valdis.Kletnieks@vt$(echo .)edu \
--cc=akpm@osdl$(echo .)org \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=linville@tuxdriver$(echo .)com \
--cc=netdev@vger$(echo .)kernel.org \
--cc=proski@gnu$(echo .)org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox