Changeset 42152


Ignore:
Timestamp:
2014-08-12T13:15:38+02:00 (3 years ago)
Author:
jow
Message:

BB: package: fix segfault of iwinfo.scanlist("radio0").

This is a bug revealed in r41830.

First, the static variable char nif[IFNAMSIZ] of nl80211_phy2ifname()
would be zeroed out if the argument is "wlan0" or the like. This will
happen in the following call stack.

nl80211_get_scanlist("radio0", buf, len);

nl80211_phy2ifname("radio0") return static var nif with content "wlan0"
nl80211_get_scanlist(nif, buf, len);
tail call

nl80211_get_mode(nif);

nl80211_phy2ifname(nif); zero out nif

Later we try nl80211_ifadd("") which was supposed to create interface
"tmp.", but that won't happen because nl80211_msg() will put an invalid
ifidx 0 to the nlmsg.

Then iwinfo_ifup() and iwinfo_ifdown() would fail and happily
nl80211_get_scanlist() returned 0 and left *len undefined.

Signed-off-by: Yousong Zhou <yszhou4tech@…>

Backport of r42151

Location:
branches/barrier_breaker/package/network/utils/iwinfo/src
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/barrier_breaker/package/network/utils/iwinfo/src/iwinfo_lua.c

    r40813 r42152  
    363363static int iwinfo_L_scanlist(lua_State *L, int (*func)(const char *, char *, int *)) 
    364364{ 
    365         int i, x, len; 
     365        int i, x, len = 0; 
    366366        char rv[IWINFO_BUFSIZE]; 
    367367        char macstr[18]; 
  • branches/barrier_breaker/package/network/utils/iwinfo/src/iwinfo_nl80211.c

    r42015 r42152  
    216216        struct nl80211_msg_conveyor *cv; 
    217217 
     218        if (ifname == NULL) 
     219                return NULL; 
     220 
    218221        if (nl80211_init() < 0) 
    219222                return NULL; 
     
    228231                ifidx = if_nametoindex(ifname); 
    229232 
    230         if ((ifidx < 0) && (phyidx < 0)) 
     233        /* Valid ifidx must be greater than 0 */ 
     234        if ((ifidx <= 0) && (phyidx < 0)) 
    231235                return NULL; 
    232236 
     
    501505        struct dirent *e; 
    502506 
     507        /* Only accept phy name of the form phy%d or radio%d */ 
    503508        if (!ifname) 
    504509                return NULL; 
     
    507512        else if (!strncmp(ifname, "radio", 5)) 
    508513                phyidx = atoi(&ifname[5]); 
     514        else 
     515                return NULL; 
    509516 
    510517        memset(nif, 0, sizeof(nif)); 
Note: See TracChangeset for help on using the changeset viewer.