diff options
| author | Felix Fietkau <nbd@openwrt.org> | 2007-05-23 14:54:18 +0000 |
|---|---|---|
| committer | Felix Fietkau <nbd@openwrt.org> | 2007-05-23 14:54:18 +0000 |
| commit | 34f3b786b5187d4e7724589168b62455e8e984d6 (patch) | |
| tree | fbb08231d1ab76ce75133800e449ab77f4013e99 /package/madwifi/patches/119-secfix_PR_1335.patch | |
| parent | 014af49855bd7c56b4ccc81766f7e860f01a1192 (diff) | |
| download | upstream-34f3b786b5187d4e7724589168b62455e8e984d6.tar.gz upstream-34f3b786b5187d4e7724589168b62455e8e984d6.tar.bz2 upstream-34f3b786b5187d4e7724589168b62455e8e984d6.zip | |
update madwifi to latest trunk (refcount and hal-0.9.30.13 got merged) and include a security fix that was merged in 0.9.3.1
SVN-Revision: 7309
Diffstat (limited to 'package/madwifi/patches/119-secfix_PR_1335.patch')
| -rw-r--r-- | package/madwifi/patches/119-secfix_PR_1335.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/package/madwifi/patches/119-secfix_PR_1335.patch b/package/madwifi/patches/119-secfix_PR_1335.patch new file mode 100644 index 0000000000..ecf3ddaad6 --- /dev/null +++ b/package/madwifi/patches/119-secfix_PR_1335.patch @@ -0,0 +1,49 @@ +diff -ur madwifi.old/net80211/ieee80211_input.c madwifi.dev/net80211/ieee80211_input.c +--- madwifi.old/net80211/ieee80211_input.c 2007-05-21 17:53:39.000000000 +0200 ++++ madwifi.dev/net80211/ieee80211_input.c 2007-05-23 16:50:21.097957392 +0200 +@@ -695,13 +695,31 @@ + + /* NB: assumes linear (i.e., non-fragmented) skb */ + ++ /* check length > header */ ++ if (skb->len < sizeof(struct ether_header) + LLC_SNAPFRAMELEN ++ + roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2) { ++ IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, ++ ni->ni_macaddr, "data", "%s", "decap error"); ++ vap->iv_stats.is_rx_decap++; ++ IEEE80211_NODE_STAT(ni, rx_decap); ++ goto err; ++ } ++ + /* get to the tunneled headers */ + ath_hdr = (struct athl2p_tunnel_hdr *) + skb_pull(skb, sizeof(struct ether_header) + LLC_SNAPFRAMELEN); +- /* ignore invalid frames */ +- if(ath_hdr == NULL) ++ eh_tmp = (struct ether_header *) ++ skb_pull(skb, roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2); ++ /* sanity check for malformed 802.3 length */ ++ frame_len = ntohs(eh_tmp->ether_type); ++ if (skb->len < roundup(sizeof(struct ether_header) + frame_len, 4)) { ++ IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, ++ ni->ni_macaddr, "data", "%s", "decap error"); ++ vap->iv_stats.is_rx_decap++; ++ IEEE80211_NODE_STAT(ni, rx_decap); + goto err; +- ++ } ++ + /* only implementing FF now. drop all others. */ + if (ath_hdr->proto != ATH_L2TUNNEL_PROTO_FF) { + IEEE80211_DISCARD_MAC(vap, +@@ -714,10 +732,6 @@ + } + vap->iv_stats.is_rx_ffcnt++; + +- /* move past the tunneled header, with alignment */ +- skb_pull(skb, roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2); +- eh_tmp = (struct ether_header *)skb->data; +- + /* ether_type must be length as FF frames are always LLC/SNAP encap'd */ + frame_len = ntohs(eh_tmp->ether_type); + |