Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 135846 Details for
Bug 196862
ieee80211 off-by-two integer underflow DoS (CVE-2007-4997)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git commit for CVS-2007-4997
1500-CVE-2007-4997-ieee80211-underflow-dos.patch (text/plain), 1.87 KB, created by
Mike Pagano
on 2007-11-13 00:25:08 UTC
(
hide
)
Description:
git commit for CVS-2007-4997
Filename:
MIME Type:
Creator:
Mike Pagano
Created:
2007-11-13 00:25:08 UTC
Size:
1.87 KB
patch
obsolete
>From: John W. Linville <linville@tuxdriver.com> >Date: Tue, 2 Oct 2007 04:03:54 +0000 (-0700) >Subject: [IEEE80211]: avoid integer underflow for runt rx frames >X-Git-Tag: v2.6.23~42^2 >X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=04045f98e0457aba7d4e6736f37eed189c48a5f7 > >[IEEE80211]: avoid integer underflow for runt rx frames > >Reported by Chris Evans <scarybeasts@gmail.com>: > >> The summary is that an evil 80211 frame can crash out a victim's >> machine. It only applies to drivers using the 80211 wireless code, and >> only then to certain drivers (and even then depends on a card's >> firmware not dropping a dubious packet). I must confess I'm not >> keeping track of Linux wireless support, and the different protocol >> stacks etc. >> >> Details are as follows: >> >> ieee80211_rx() does not explicitly check that "skb->len >= hdrlen". >> There are other skb->len checks, but not enough to prevent a subtle >> off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag >> set. >> >> This leads to integer underflow and crash here: >> >> if (frag != 0) >> flen -= hdrlen; >> >> (flen is subsequently used as a memcpy length parameter). > >How about this? > >Signed-off-by: John W. Linville <linville@tuxdriver.com> >Signed-off-by: David S. Miller <davem@davemloft.net> >--- > >diff --git a/net/ieee80211/ieee80211_rx.c b/net/ieee80211/ieee80211_rx.c >index f2de2e4..6284c99 100644 >--- a/net/ieee80211/ieee80211_rx.c >+++ b/net/ieee80211/ieee80211_rx.c >@@ -366,6 +366,12 @@ int ieee80211_rx(struct ieee80211_device *ieee, struct sk_buff *skb, > frag = WLAN_GET_SEQ_FRAG(sc); > hdrlen = ieee80211_get_hdrlen(fc); > >+ if (skb->len < hdrlen) { >+ printk(KERN_INFO "%s: invalid SKB length %d\n", >+ dev->name, skb->len); >+ goto rx_dropped; >+ } >+ > /* Put this code here so that we avoid duplicating it in all > * Rx paths. - Jean II */ > #ifdef CONFIG_WIRELESS_EXT >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=135846">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 196862
: 135846
