diff options
author | Felix Fietkau <nbd@openwrt.org> | 2006-12-08 16:48:43 +0000 |
---|---|---|
committer | Felix Fietkau <nbd@openwrt.org> | 2006-12-08 16:48:43 +0000 |
commit | 4bead05b286388f205a21f3d14be3e7c3e063e3d (patch) | |
tree | 1935bec702518d52f88265441b4399f2182091f3 /package/madwifi/patches | |
parent | 3264c50c3a29e7de5880f3694f64f5a13351a516 (diff) | |
download | upstream-4bead05b286388f205a21f3d14be3e7c3e063e3d.tar.gz upstream-4bead05b286388f205a21f3d14be3e7c3e063e3d.tar.bz2 upstream-4bead05b286388f205a21f3d14be3e7c3e063e3d.zip |
add an update for the not-entirely-correct security fix of madwifi (see [5720], madwifi changeset 1847)
SVN-Revision: 5726
Diffstat (limited to 'package/madwifi/patches')
-rw-r--r-- | package/madwifi/patches/105-security_patch_fix.patch | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/package/madwifi/patches/105-security_patch_fix.patch b/package/madwifi/patches/105-security_patch_fix.patch new file mode 100644 index 0000000000..96dc17ac60 --- /dev/null +++ b/package/madwifi/patches/105-security_patch_fix.patch @@ -0,0 +1,27 @@ +The fix for CVE-2006-6332 in r1842 was not entirely correct. In +encode_ie() the bound check did not consider that each byte from +the IE causes two bytes to be written into buffer. That could +lead to a kernel oops, but does not allow code injection. This is +now fixed. + +Due to the type of this problem it does not trigger another +urgent security bugfix release. v0.9.3 is at the door anyway. + +Reported-by: Joachim Gleisner <jg@suse.de> + +Index: trunk/net80211/ieee80211_wireless.c +=================================================================== +--- trunk/net80211/ieee80211_wireless.c (revision 1846) ++++ trunk/net80211/ieee80211_wireless.c (revision 1847) +@@ -1566,8 +1566,8 @@ + bufsize -= leader_len; + p += leader_len; +- if (bufsize < ielen) +- return 0; +- for (i = 0; i < ielen && bufsize > 2; i++) ++ for (i = 0; i < ielen && bufsize > 2; i++) { + p += sprintf(p, "%02x", ie[i]); ++ bufsize -= 2; ++ } + return (i == ielen ? p - (u_int8_t *)buf : 0); + } |