From: stsp <stsp@openbsd.org>
Date: Thu, 19 Aug 2021 06:02:39 +0000 (+0000)
Subject: Fix an off-by-one in bwfm(4) SSID length checks.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=4ba678298c46517fe91f166d3ad236b6741402b5;p=openbsd

Fix an off-by-one in bwfm(4) SSID length checks.
SSIDs are binary data, not NUL-terminated strings.

ok patrick@
---

diff --git a/sys/dev/ic/bwfm.c b/sys/dev/ic/bwfm.c
index a4af90501dc..a292bc84218 100644
--- a/sys/dev/ic/bwfm.c
+++ b/sys/dev/ic/bwfm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bwfm.c,v 1.85 2021/08/12 12:31:40 patrick Exp $ */
+/* $OpenBSD: bwfm.c,v 1.86 2021/08/19 06:02:39 stsp Exp $ */
 /*
  * Copyright (c) 2010-2016 Broadcom Corporation
  * Copyright (c) 2016,2017 Patrick Wildt <patrick@blueri.se>
@@ -1959,7 +1959,7 @@ bwfm_connect(struct bwfm_softc *sc)
 	bwfm_fwvar_var_set_int(sc, "auth", BWFM_AUTH_OPEN);
 	bwfm_fwvar_var_set_int(sc, "mfp", BWFM_MFP_NONE);
 
-	if (ic->ic_des_esslen && ic->ic_des_esslen < BWFM_MAX_SSID_LEN) {
+	if (ic->ic_des_esslen && ic->ic_des_esslen <= BWFM_MAX_SSID_LEN) {
 		params = malloc(sizeof(*params), M_TEMP, M_WAITOK | M_ZERO);
 		memcpy(params->ssid.ssid, ic->ic_des_essid, ic->ic_des_esslen);
 		params->ssid.len = htole32(ic->ic_des_esslen);
@@ -2064,7 +2064,7 @@ bwfm_scan(struct bwfm_softc *sc)
 	struct bwfm_ssid *ssid;
 
 	if (ic->ic_flags & IEEE80211_F_ASCAN &&
-	    ic->ic_des_esslen && ic->ic_des_esslen < BWFM_MAX_SSID_LEN)
+	    ic->ic_des_esslen && ic->ic_des_esslen <= BWFM_MAX_SSID_LEN)
 		nssid = 1;
 
 	chan_size = roundup(nchan * sizeof(uint16_t), sizeof(uint32_t));
@@ -2088,7 +2088,7 @@ bwfm_scan(struct bwfm_softc *sc)
 	params->sync_id = htole16(0x1234);
 
 	if (ic->ic_flags & IEEE80211_F_ASCAN &&
-	    ic->ic_des_esslen && ic->ic_des_esslen < BWFM_MAX_SSID_LEN) {
+	    ic->ic_des_esslen && ic->ic_des_esslen <= BWFM_MAX_SSID_LEN) {
 		params->scan_params.scan_type = BWFM_SCANTYPE_ACTIVE;
 		ssid->len = htole32(ic->ic_des_esslen);
 		memcpy(ssid->ssid, ic->ic_des_essid, ic->ic_des_esslen);