low-level network programming is sick. some wlan-drivers don't honor struct sizes

and simply write bytes _after_ the struct... this patch makes calling SIOCGIWRANGE more failure-proof.
author: mickeyl <mickeyl> 2003-04-04 10:31:26 (UTC)
committer: mickeyl <mickeyl> 2003-04-04 10:31:26 (UTC)
commit: 089385bb8ab768fbf6f394f326e565e3589163fc (patch) (unidiff)
tree: 23891b81b11310186c43179612531bc92e52ae65 /libopie2
parent: 7da7e9cbfb52988ce801310f66b1336e0809db28 (diff)
download: opie-089385bb8ab768fbf6f394f326e565e3589163fc.zip
opie-089385bb8ab768fbf6f394f326e565e3589163fc.tar.gz
opie-089385bb8ab768fbf6f394f326e565e3589163fc.tar.bz2
3 files changed, 47 insertions, 30 deletions
diff --git a/libopie2/opienet/onetutils.cpp b/libopie2/opienet/onetutils.cpp
index fd8f9e9..b317810 100644
--- a/libopie2/opienet/onetutils.cpp
+++ b/libopie2/opienet/onetutils.cpp
@@ -184,2 +184,3 @@ void dumpBytes( const unsigned char* data, int num )
    printf( "\n\n" );
 }
diff --git a/libopie2/opienet/onetwork.cpp b/libopie2/opienet/onetwork.cpp
index 66fa215..789e8ca 100644
--- a/libopie2/opienet/onetwork.cpp
+++ b/libopie2/opienet/onetwork.cpp
@@ -129,6 +129,6 @@ bool ONetwork::isWirelessInterface( const char* name ) const
 {
    int sfd = socket( AF_INET, SOCK_STREAM, 0 );
-    iwreqstruct iwr;
+    struct iwreq iwr;
-    memset( &iwr, 0, sizeof( iwreqstruct ) );
+    memset( &iwr, 0, sizeof( struct iwreq ) );
    strcpy( (char*) &iwr.ifr_name, name );
    int result = ::ioctl( sfd, SIOCGIWNAME, &iwr );
@@ -153,5 +153,5 @@ ONetworkInterface::ONetworkInterface( QObject* parent, const char* name )
-ifreqstruct& ONetworkInterface::ifr() const
+struct ifreq& ONetworkInterface::ifr() const
 {
    return _ifr;
@@ -173,5 +173,5 @@ void ONetworkInterface::init()
-bool ONetworkInterface::ioctl( int call, ifreqstruct& ifreq ) const
+bool ONetworkInterface::ioctl( int call, struct ifreq& ifreq ) const
 {
    int result = ::ioctl( _sfd, call, &ifreq );
@@ -378,5 +378,5 @@ OWirelessNetworkInterface::~OWirelessNetworkInterface()
-iwreqstruct& OWirelessNetworkInterface::iwr() const
+struct iwreq& OWirelessNetworkInterface::iwr() const
 {
    return _iwr;
@@ -418,7 +418,4 @@ QString OWirelessNetworkInterface::associatedAP() const
 void OWirelessNetworkInterface::buildChannelList()
 {
-    // IEEE802.11(b) radio frequency channels
-    struct iw_range range;
    //ML: If you listen carefully enough, you can hear lots of WLAN drivers suck
    //ML: The HostAP drivers need more than sizeof struct_iw range to complete
@@ -426,10 +423,19 @@ void OWirelessNetworkInterface::buildChannelList()
    //ML: The Wlan-NG drivers on the otherside fail (segfault!) if you allocate
    //ML: _too much_ space. This is damn shitty crap *sigh*
+    //ML: We allocate a large memory region in RAM and check whether the
-    _iwr.u.data.pointer = (char*) &range;
+    //ML: driver pollutes this extra space. The complaint will be made on stdout,
-    _iwr.u.data.length = IW_MAX_FREQUENCIES; //sizeof range;
+    //ML: so please forward this...
-    _iwr.u.data.flags = 0;
+    struct iwreq wrq;
-    if ( !wioctl( SIOCGIWRANGE ) )
+    int len = sizeof( struct iw_range )*2;
+    char *buffer = (char*) malloc( len );
+    //FIXME: Validate if we actually got the memory block
+    memset( buffer, 0, len );
+    memcpy( wrq.ifr_name, name(), IFNAMSIZ);
+    wrq.u.data.pointer = (caddr_t) buffer;
+    wrq.u.data.length = sizeof( struct iw_range );
+    wrq.u.data.flags = 0;
+    if ( ::ioctl( _sfd, SIOCGIWRANGE, &wrq ) == -1 )
    {
        qDebug( "OWirelessNetworkInterface::buildChannelList(): SIOCGIWRANGE failed (%s) - defaulting to 11 channels", strerror( errno ) );
@@ -448,4 +454,19 @@ void OWirelessNetworkInterface::buildChannelList()
    else
    {
+        // <check if the driver overwrites stuff>
+        int max = 0;
+        for ( int r = sizeof( struct iw_range ); r < len; r++ )
+            if (buffer[r] != 0)
+                max = r;
+        if (max > 0)
+        {
+            qWarning( "OWirelessNetworkInterface::buildChannelList(): Driver for wireless interface '%s'"
+                    "overwrote buffer end with at least %i bytes!\n", name(), max - sizeof( struct iw_range ) );
+        }
+        // </check if the driver overwrites stuff>
+        struct iw_range range;
+        memcpy( &range, buffer, sizeof range );
        qDebug( "OWirelessNetworkInterface::buildChannelList(): Interface %s reported to have %d channels.", name(), range.num_frequency );
        for ( int i = 0; i < range.num_frequency; ++i )
@@ -455,5 +476,7 @@ void OWirelessNetworkInterface::buildChannelList()
        }
    }
    qDebug( "OWirelessNetworkInterface::buildChannelList(): Channel list constructed." );
+    free(buffer);
 }
@@ -506,5 +529,5 @@ void OWirelessNetworkInterface::setChannel( int c ) const
    if ( !_mon )
    {
-        memset( &_iwr, 0, sizeof( iwreqstruct ) );
+        memset( &_iwr, 0, sizeof( struct iwreq ) );
        _iwr.u.freq.m = c;
        _iwr.u.freq.e = 0;
@@ -640,5 +663,5 @@ void OWirelessNetworkInterface::setSSID( const QString& ssid )
-bool OWirelessNetworkInterface::wioctl( int call, iwreqstruct& iwreq ) const
+bool OWirelessNetworkInterface::wioctl( int call, struct iwreq& iwreq ) const
 {
    int result = ::ioctl( _sfd, call, &iwreq );
@@ -676,5 +699,5 @@ void OMonitoringInterface::setChannel( int c )
 {
    // use standard WE channel switching protocol
-    memset( &_if->_iwr, 0, sizeof( iwreqstruct ) );
+    memset( &_if->_iwr, 0, sizeof( struct iwreq ) );
    _if->_iwr.u.freq.m = c;
    _if->_iwr.u.freq.e = 0;
diff --git a/libopie2/opienet/onetwork.h b/libopie2/opienet/onetwork.h
index 7c70873..509c3db 100644
--- a/libopie2/opienet/onetwork.h
+++ b/libopie2/opienet/onetwork.h
@@ -73,11 +73,4 @@ class OChannelHopper;
 class OMonitoringInterface;
-typedef struct ifreq ifreqstruct;
-typedef struct iwreq iwreqstruct;
-typedef struct iw_event iweventstruct;
-typedef struct iw_freq iwfreqstruct;
-typedef struct iw_priv_args iwprivargsstruct;
-typedef struct iw_range iwrangestruct;
 /*======================================================================================
 * ONetwork
@@ -137,12 +130,12 @@ class ONetworkInterface : public QObject
  protected:
    const int _sfd;
-    mutable ifreqstruct _ifr;
+    mutable ifreq _ifr;
    OMonitoringInterface* _mon;
  protected:
-    ifreqstruct& ifr() const;
+    struct ifreq& ifr() const;
    virtual void init();
    bool ioctl( int call ) const;
-    bool ioctl( int call, ifreqstruct& ) const;
+    bool ioctl( int call, struct ifreq& ) const;
 };
@@ -223,10 +216,10 @@ class OWirelessNetworkInterface : public ONetworkInterface
    void buildPrivateList();
    virtual void init();
-    iwreqstruct& iwr() const;
+    struct iwreq& iwr() const;
    bool wioctl( int call ) const;
-    bool wioctl( int call, iwreqstruct& ) const;
+    bool wioctl( int call, struct iwreq& ) const;
  protected:
-    mutable iwreqstruct _iwr;
+    mutable struct iwreq _iwr;
    QMap<int,int> _channels;
author	mickeyl <mickeyl>	2003-04-04 10:31:26 (UTC)
committer	mickeyl <mickeyl>	2003-04-04 10:31:26 (UTC)
commit	089385bb8ab768fbf6f394f326e565e3589163fc (patch) (unidiff)
tree	23891b81b11310186c43179612531bc92e52ae65 /libopie2
parent	7da7e9cbfb52988ce801310f66b1336e0809db28 (diff)
download	opie-089385bb8ab768fbf6f394f326e565e3589163fc.zip opie-089385bb8ab768fbf6f394f326e565e3589163fc.tar.gz opie-089385bb8ab768fbf6f394f326e565e3589163fc.tar.bz2

diff --git a/libopie2/opienet/onetutils.cpp b/libopie2/opienet/onetutils.cpp index fd8f9e9..b317810 100644 --- a/libopie2/opienet/onetutils.cpp +++ b/libopie2/opienet/onetutils.cpp
@@ -184,2 +184,3 @@ void dumpBytes( const unsigned char* data, int num )
184	printf( "\n\n" );	184	printf( "\n\n" );
185	}	185	}
		186


diff --git a/libopie2/opienet/onetwork.cpp b/libopie2/opienet/onetwork.cpp index 66fa215..789e8ca 100644 --- a/libopie2/opienet/onetwork.cpp +++ b/libopie2/opienet/onetwork.cpp
@@ -129,6 +129,6 @@ bool ONetwork::isWirelessInterface( const char* name ) const
129	{	129	{
130	int sfd = socket( AF_INET, SOCK_STREAM, 0 );	130	int sfd = socket( AF_INET, SOCK_STREAM, 0 );
131	iwreqstruct iwr;	131	struct iwreq iwr;
132	memset( &iwr, 0, sizeof( iwreqstruct ) );	132	memset( &iwr, 0, sizeof( struct iwreq ) );
133	strcpy( (char*) &iwr.ifr_name, name );	133	strcpy( (char*) &iwr.ifr_name, name );
134	int result = ::ioctl( sfd, SIOCGIWNAME, &iwr );	134	int result = ::ioctl( sfd, SIOCGIWNAME, &iwr );
@@ -153,5 +153,5 @@ ONetworkInterface::ONetworkInterface( QObject* parent, const char* name )
153		153
154		154
155	ifreqstruct& ONetworkInterface::ifr() const	155	struct ifreq& ONetworkInterface::ifr() const
156	{	156	{
157	return _ifr;	157	return _ifr;
@@ -173,5 +173,5 @@ void ONetworkInterface::init()
173		173
174		174
175	bool ONetworkInterface::ioctl( int call, ifreqstruct& ifreq ) const	175	bool ONetworkInterface::ioctl( int call, struct ifreq& ifreq ) const
176	{	176	{
177	int result = ::ioctl( _sfd, call, &ifreq );	177	int result = ::ioctl( _sfd, call, &ifreq );
@@ -378,5 +378,5 @@ OWirelessNetworkInterface::~OWirelessNetworkInterface()
378		378
379		379
380	iwreqstruct& OWirelessNetworkInterface::iwr() const	380	struct iwreq& OWirelessNetworkInterface::iwr() const
381	{	381	{
382	return _iwr;	382	return _iwr;
@@ -418,7 +418,4 @@ QString OWirelessNetworkInterface::associatedAP() const
418	void OWirelessNetworkInterface::buildChannelList()	418	void OWirelessNetworkInterface::buildChannelList()
419	{	419	{
420	// IEEE802.11(b) radio frequency channels
421	struct iw_range range;
422
423	//ML: If you listen carefully enough, you can hear lots of WLAN drivers suck	420	//ML: If you listen carefully enough, you can hear lots of WLAN drivers suck
424	//ML: The HostAP drivers need more than sizeof struct_iw range to complete	421	//ML: The HostAP drivers need more than sizeof struct_iw range to complete
@@ -426,10 +423,19 @@ void OWirelessNetworkInterface::buildChannelList()
426	//ML: The Wlan-NG drivers on the otherside fail (segfault!) if you allocate	423	//ML: The Wlan-NG drivers on the otherside fail (segfault!) if you allocate
427	//ML: _too much_ space. This is damn shitty crap sigh	424	//ML: _too much_ space. This is damn shitty crap sigh
428		425	//ML: We allocate a large memory region in RAM and check whether the
429	_iwr.u.data.pointer = (char*) &range;	426	//ML: driver pollutes this extra space. The complaint will be made on stdout,
430	_iwr.u.data.length = IW_MAX_FREQUENCIES; //sizeof range;	427	//ML: so please forward this...
431	_iwr.u.data.flags = 0;	428
432		429	struct iwreq wrq;
433	if ( !wioctl( SIOCGIWRANGE ) )	430	int len = sizeof( struct iw_range )*2;
		431	char buffer = (char) malloc( len );
		432	//FIXME: Validate if we actually got the memory block
		433	memset( buffer, 0, len );
		434	memcpy( wrq.ifr_name, name(), IFNAMSIZ);
		435	wrq.u.data.pointer = (caddr_t) buffer;
		436	wrq.u.data.length = sizeof( struct iw_range );
		437	wrq.u.data.flags = 0;
		438
		439	if ( ::ioctl( _sfd, SIOCGIWRANGE, &wrq ) == -1 )
434	{	440	{
435	qDebug( "OWirelessNetworkInterface::buildChannelList(): SIOCGIWRANGE failed (%s) - defaulting to 11 channels", strerror( errno ) );	441	qDebug( "OWirelessNetworkInterface::buildChannelList(): SIOCGIWRANGE failed (%s) - defaulting to 11 channels", strerror( errno ) );
@@ -448,4 +454,19 @@ void OWirelessNetworkInterface::buildChannelList()
448	else	454	else
449	{	455	{
		456	// <check if the driver overwrites stuff>
		457	int max = 0;
		458	for ( int r = sizeof( struct iw_range ); r < len; r++ )
		459	if (buffer[r] != 0)
		460	max = r;
		461	if (max > 0)
		462	{
		463	qWarning( "OWirelessNetworkInterface::buildChannelList(): Driver for wireless interface '%s'"
		464	"overwrote buffer end with at least %i bytes!\n", name(), max - sizeof( struct iw_range ) );
		465	}
		466	// </check if the driver overwrites stuff>
		467
		468	struct iw_range range;
		469	memcpy( &range, buffer, sizeof range );
		470
450	qDebug( "OWirelessNetworkInterface::buildChannelList(): Interface %s reported to have %d channels.", name(), range.num_frequency );	471	qDebug( "OWirelessNetworkInterface::buildChannelList(): Interface %s reported to have %d channels.", name(), range.num_frequency );
451	for ( int i = 0; i < range.num_frequency; ++i )	472	for ( int i = 0; i < range.num_frequency; ++i )
@@ -455,5 +476,7 @@ void OWirelessNetworkInterface::buildChannelList()
455	}	476	}
456	}	477	}
		478
457	qDebug( "OWirelessNetworkInterface::buildChannelList(): Channel list constructed." );	479	qDebug( "OWirelessNetworkInterface::buildChannelList(): Channel list constructed." );
		480	free(buffer);
458	}	481	}
459		482
@@ -506,5 +529,5 @@ void OWirelessNetworkInterface::setChannel( int c ) const
506	if ( !_mon )	529	if ( !_mon )
507	{	530	{
508	memset( &_iwr, 0, sizeof( iwreqstruct ) );	531	memset( &_iwr, 0, sizeof( struct iwreq ) );
509	_iwr.u.freq.m = c;	532	_iwr.u.freq.m = c;
510	_iwr.u.freq.e = 0;	533	_iwr.u.freq.e = 0;
@@ -640,5 +663,5 @@ void OWirelessNetworkInterface::setSSID( const QString& ssid )
640		663
641		664
642	bool OWirelessNetworkInterface::wioctl( int call, iwreqstruct& iwreq ) const	665	bool OWirelessNetworkInterface::wioctl( int call, struct iwreq& iwreq ) const
643	{	666	{
644	int result = ::ioctl( _sfd, call, &iwreq );	667	int result = ::ioctl( _sfd, call, &iwreq );
@@ -676,5 +699,5 @@ void OMonitoringInterface::setChannel( int c )
676	{	699	{
677	// use standard WE channel switching protocol	700	// use standard WE channel switching protocol
678	memset( &_if->_iwr, 0, sizeof( iwreqstruct ) );	701	memset( &_if->_iwr, 0, sizeof( struct iwreq ) );
679	_if->_iwr.u.freq.m = c;	702	_if->_iwr.u.freq.m = c;
680	_if->_iwr.u.freq.e = 0;	703	_if->_iwr.u.freq.e = 0;


diff --git a/libopie2/opienet/onetwork.h b/libopie2/opienet/onetwork.h index 7c70873..509c3db 100644 --- a/libopie2/opienet/onetwork.h +++ b/libopie2/opienet/onetwork.h
@@ -73,11 +73,4 @@ class OChannelHopper;
73	class OMonitoringInterface;	73	class OMonitoringInterface;
74		74
75	typedef struct ifreq ifreqstruct;
76	typedef struct iwreq iwreqstruct;
77	typedef struct iw_event iweventstruct;
78	typedef struct iw_freq iwfreqstruct;
79	typedef struct iw_priv_args iwprivargsstruct;
80	typedef struct iw_range iwrangestruct;
81
82	/*======================================================================================	75	/*======================================================================================
83	* ONetwork	76	* ONetwork
@@ -137,12 +130,12 @@ class ONetworkInterface : public QObject
137	protected:	130	protected:
138	const int _sfd;	131	const int _sfd;
139	mutable ifreqstruct _ifr;	132	mutable ifreq _ifr;
140	OMonitoringInterface* _mon;	133	OMonitoringInterface* _mon;
141		134
142	protected:	135	protected:
143	ifreqstruct& ifr() const;	136	struct ifreq& ifr() const;
144	virtual void init();	137	virtual void init();
145	bool ioctl( int call ) const;	138	bool ioctl( int call ) const;
146	bool ioctl( int call, ifreqstruct& ) const;	139	bool ioctl( int call, struct ifreq& ) const;
147	};	140	};
148		141
@@ -223,10 +216,10 @@ class OWirelessNetworkInterface : public ONetworkInterface
223	void buildPrivateList();	216	void buildPrivateList();
224	virtual void init();	217	virtual void init();
225	iwreqstruct& iwr() const;	218	struct iwreq& iwr() const;
226	bool wioctl( int call ) const;	219	bool wioctl( int call ) const;
227	bool wioctl( int call, iwreqstruct& ) const;	220	bool wioctl( int call, struct iwreq& ) const;
228		221
229	protected:	222	protected:
230	mutable iwreqstruct _iwr;	223	mutable struct iwreq _iwr;
231	QMap<int,int> _channels;	224	QMap<int,int> _channels;
232		225