bin/74509: [PATCH] ifconfig allows setting 33-byte SSID

Daan Vreeken [PA4DAN] Danovitsch at
Mon Nov 29 04:01:13 PST 2004

>Number:         74509
>Category:       bin
>Synopsis:       [PATCH] ifconfig allows setting 33-byte SSID
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 29 12:00:51 GMT 2004
>Originator:     Daan Vreeken [PA4DAN]
>Release:        FreeBSD 5.3-RELEASE i386
System: FreeBSD Racebeest.Danovitsch.LAN 5.3-RELEASE FreeBSD 5.3-RELEASE #4: Fri Nov 26 18:18:21 CET 2004 root at Racebeest.Danovitsch.LAN:/usr/src.5.3-release/sys/i386/compile/Laptop i386

	Ifconfig allows setting an SSID of 33-bytes. set80211ssid() calls
get_string() to read & verify the SSID argument. get_string() checks the
length of the given SSID argument, but fails because set80211ssid() passes a
33-byte buffer to it instead of a 32-byte buffer.


	Try the following commands to any interface :

	# ifconfig atuwi0 ssid 12345678901234567890123456789012
	(Setting a 32-byte SSID. No errors, correct)

	# ifconfig atuwi0 ssid 123456789012345678901234567890123
	ifconfig: SIOCS80211: Invalid argument
	(Setting a 33-byte SSID. The interface driver returns an error.
	ifconfig should have complained here about the length)

	# ifconfig atuwi0 ssid 1234567890123456789012345678901234
	ifconfig: string too long
	ifconfig: SIOCS80211: Invalid argument
	(Setting a 34-byte SSID. Ifconfig complains about the SSID being too
	long, but continues to set the first 33-bytes of the SSID. The driver
	complains again. I think ifconfig should have bailed out when it
	detected the SSID was too long, instead of setting the first part.)


	Apply the given patch to -current. This patch changes the ssid
	buffer size to 32 bytes so get_string() will detect string > 32 bytes
	correctly. The second part of the patch makes set80211ssid() return
	if the SSID was too long, instead of setting the first 32 bytes.

	There are a couple of other bugs still in the ifconfig code. I would
	like to know who I can contact to discuss them.

--- ifconfig_ifieee80211_ssid_len.diff begins here ---
---	Mon Nov 29 10:05:09 2004
+++ ifieee80211.c	Mon Nov 29 11:29:56 2004
@@ -100,7 +100,7 @@
 	int		ssid;
 	int		len;
-	u_int8_t	data[33];
+	u_int8_t	data[32];
 	ssid = 0;
 	len = strlen(val);
@@ -111,8 +111,9 @@
 	bzero(data, sizeof(data));
 	len = sizeof(data);
-	get_string(val, NULL, data, &len);
+	if (get_string(val, NULL, data, &len) == NULL)
+		return;
 	set80211(s, IEEE80211_IOC_SSID, ssid, len, data);
--- ifconfig_ifieee80211_ssid_len.diff ends here ---


More information about the freebsd-bugs mailing list