ExternalVendorCode/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2025-01-12 07:53:07 +00:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

package: fix segfault of iwinfo.scanlist("radio0").

Browse Source 
This is a bug revealed in r41830.

First, the static variable `char nif[IFNAMSIZ]` of nl80211_phy2ifname()
would be zeroed out if the argument is "wlan0" or the like.  This will
happen in the following call stack.

 nl80211_get_scanlist("radio0", buf, len);
   nl80211_phy2ifname("radio0")			// return static var nif with content "wlan0"
   nl80211_get_scanlist(nif, buf, len);		// tail call
     nl80211_get_mode(nif);
        nl80211_phy2ifname(nif);		// zero out nif

Later we try nl80211_ifadd("") which was supposed to create interface
"tmp.", but that won't happen because nl80211_msg() will put an invalid
ifidx 0 to the nlmsg.

Then iwinfo_ifup() and iwinfo_ifdown() would fail and happily
nl80211_get_scanlist() returned 0 and left *len undefined.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

SVN-Revision: 42151
This commit is contained in:
Jo-Philipp Wich 2014-08-12 11:14:11 +00:00
parent 24696a06ad
commit eb02b887ff
2 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
package/network/utils/iwinfo/src/iwinfo_lua.c
View File

@ -362,7 +362,7 @@ static int iwinfo_L_txpwrlist(lua_State *L, int (*func)(const char *, char *, in
/* Wrapper for scan list */ /* Wrapper for scan list */
static int iwinfo_L_scanlist(lua_State *L, int (*func)(const char *, char *, int *)) static int iwinfo_L_scanlist(lua_State *L, int (*func)(const char *, char *, int *))
{ {
int i, x, len; int i, x, len = 0;
char rv[IWINFO_BUFSIZE]; char rv[IWINFO_BUFSIZE];
char macstr[18]; char macstr[18];
const char *ifname = luaL_checkstring(L, 1); const char *ifname = luaL_checkstring(L, 1);

9
package/network/utils/iwinfo/src/iwinfo_nl80211.c
View File

@ -215,6 +215,9 @@ static struct nl80211_msg_conveyor * nl80211_msg(const char *ifname,
int ifidx = -1, phyidx = -1; int ifidx = -1, phyidx = -1;
struct nl80211_msg_conveyor *cv; struct nl80211_msg_conveyor *cv;
if (ifname == NULL)
return NULL;
if (nl80211_init() < 0) if (nl80211_init() < 0)
return NULL; return NULL;
@ -227,7 +230,8 @@ static struct nl80211_msg_conveyor * nl80211_msg(const char *ifname,
else else
ifidx = if_nametoindex(ifname); ifidx = if_nametoindex(ifname);
if ((ifidx < 0) && (phyidx < 0)) /* Valid ifidx must be greater than 0 */
if ((ifidx <= 0) && (phyidx < 0))
return NULL; return NULL;
cv = nl80211_new(nls->nl80211, cmd, flags); cv = nl80211_new(nls->nl80211, cmd, flags);
@ -500,12 +504,15 @@ static char * nl80211_phy2ifname(const char *ifname)
DIR *d; DIR *d;
struct dirent *e; struct dirent *e;
/* Only accept phy name of the form phy%d or radio%d */
if (!ifname) if (!ifname)
return NULL; return NULL;
else if (!strncmp(ifname, "phy", 3)) else if (!strncmp(ifname, "phy", 3))
phyidx = atoi(&ifname[3]); phyidx = atoi(&ifname[3]);
else if (!strncmp(ifname, "radio", 5)) else if (!strncmp(ifname, "radio", 5))
phyidx = atoi(&ifname[5]); phyidx = atoi(&ifname[5]);
else
return NULL;
memset(nif, 0, sizeof(nif)); memset(nif, 0, sizeof(nif));