diff options
author | Patrick Wildt <patrick@cvs.openbsd.org> | 2018-02-11 05:33:13 +0000 |
---|---|---|
committer | Patrick Wildt <patrick@cvs.openbsd.org> | 2018-02-11 05:33:13 +0000 |
commit | fe73bf18716db068c1a7cf6e5a5c49a851307dda (patch) | |
tree | 1fabb36d359288e3ac57a9ebbe3b06387f2d7a24 /sys | |
parent | 083453fedb35d58ff15815846ac9f9a64cd55922 (diff) |
Copy the scan results into a new buffer to re-align the data so that we
don't fault on strict alignment architectures.
Diffstat (limited to 'sys')
-rw-r--r-- | sys/dev/ic/bwfm.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/sys/dev/ic/bwfm.c b/sys/dev/ic/bwfm.c index 3937dc392a6..8a2f1beaddd 100644 --- a/sys/dev/ic/bwfm.c +++ b/sys/dev/ic/bwfm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bwfm.c,v 1.40 2018/02/11 05:13:07 patrick Exp $ */ +/* $OpenBSD: bwfm.c,v 1.41 2018/02/11 05:33:12 patrick Exp $ */ /* * Copyright (c) 2010-2016 Broadcom Corporation * Copyright (c) 2016,2017 Patrick Wildt <patrick@blueri.se> @@ -1973,22 +1973,33 @@ bwfm_rx_event_cb(struct bwfm_softc *sc, void *arg) switch (ntohl(e->msg.event_type)) { case BWFM_E_ESCAN_RESULT: { - struct bwfm_escan_results *res = (void *)&e[1]; + struct bwfm_escan_results *res; struct bwfm_bss_info *bss; + size_t reslen; int i; if (ntohl(e->msg.status) != BWFM_E_STATUS_PARTIAL) { ieee80211_end_scan(ifp); break; } len -= sizeof(*e); - if (len < sizeof(*res) || len < letoh32(res->buflen)) { + if (len < sizeof(*res)) { printf("%s: results too small\n", DEVNAME(sc)); m_freem(m); return; } + reslen = len; + res = malloc(len, M_TEMP, M_WAITOK); + memcpy(res, (void *)&e[1], len); + if (len < letoh32(res->buflen)) { + printf("%s: results too small\n", DEVNAME(sc)); + free(res, M_TEMP, reslen); + m_freem(m); + return; + } len -= sizeof(*res); if (len < letoh16(res->bss_count) * sizeof(struct bwfm_bss_info)) { printf("%s: results too small\n", DEVNAME(sc)); + free(res, M_TEMP, reslen); m_freem(m); return; } @@ -2000,6 +2011,7 @@ bwfm_rx_event_cb(struct bwfm_softc *sc, void *arg) if (len <= 0) break; } + free(res, M_TEMP, reslen); break; } case BWFM_E_SET_SSID: |