diff options
author | Felix Fietkau <nbd@openwrt.org> | 2006-12-08 16:48:43 +0000 |
---|---|---|
committer | Felix Fietkau <nbd@openwrt.org> | 2006-12-08 16:48:43 +0000 |
commit | d6b8219de1d1552d3ef5a21fde9efa1f3d61e6b0 (patch) | |
tree | e38936fe7ed4f432113c977c6c5f9947143761c0 /package/madwifi/patches | |
parent | eed1b7d67f2b2dfe8c7be970c128936f70e3cdb0 (diff) | |
download | upstream-d6b8219de1d1552d3ef5a21fde9efa1f3d61e6b0.tar.gz upstream-d6b8219de1d1552d3ef5a21fde9efa1f3d61e6b0.tar.bz2 upstream-d6b8219de1d1552d3ef5a21fde9efa1f3d61e6b0.zip |
add an update for the not-entirely-correct security fix of madwifi (see [5720], madwifi changeset 1847)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@5726 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'package/madwifi/patches')
-rw-r--r-- | package/madwifi/patches/105-security_patch_fix.patch | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/package/madwifi/patches/105-security_patch_fix.patch b/package/madwifi/patches/105-security_patch_fix.patch new file mode 100644 index 0000000000..df0ea4d496 --- /dev/null +++ b/package/madwifi/patches/105-security_patch_fix.patch @@ -0,0 +1,27 @@ +The fix for CVE-2006-6332 in r1842 was not entirely correct. In
+encode_ie() the bound check did not consider that each byte from
+the IE causes two bytes to be written into buffer. That could
+lead to a kernel oops, but does not allow code injection. This is
+now fixed.
+
+Due to the type of this problem it does not trigger another
+urgent security bugfix release. v0.9.3 is at the door anyway.
+
+Reported-by: Joachim Gleisner <jg@suse.de>
+
+Index: trunk/net80211/ieee80211_wireless.c
+===================================================================
+--- trunk/net80211/ieee80211_wireless.c (revision 1846)
++++ trunk/net80211/ieee80211_wireless.c (revision 1847)
+@@ -1566,8 +1566,8 @@
+ bufsize -= leader_len;
+ p += leader_len;
+- if (bufsize < ielen)
+- return 0;
+- for (i = 0; i < ielen && bufsize > 2; i++)
++ for (i = 0; i < ielen && bufsize > 2; i++) {
+ p += sprintf(p, "%02x", ie[i]);
++ bufsize -= 2;
++ }
+ return (i == ielen ? p - (u_int8_t *)buf : 0);
+ }
|