Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 133482 Details for
Bug 195705
net-wireless/madwifi-ng < 0.9.3.3 "xrates" Remote Denial of Service (CVE-2007-5448)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
madwifi-ng-0.9.3.2-xrates-dos.patch
madwifi-ng-0.9.3.2-xrates-dos.patch (text/plain), 1.85 KB, created by
Robert Buchholz (RETIRED)
on 2007-10-15 00:05:33 UTC
(
hide
)
Description:
madwifi-ng-0.9.3.2-xrates-dos.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2007-10-15 00:05:33 UTC
Size:
1.85 KB
patch
obsolete
>Index: madwifi-0.9.3.2/net80211/_ieee80211.h >=================================================================== >--- madwifi-0.9.3.2.orig/net80211/_ieee80211.h >+++ madwifi-0.9.3.2/net80211/_ieee80211.h >@@ -225,6 +225,8 @@ struct ieee80211_channel { > */ > #define IEEE80211_RATE_SIZE 8 /* 802.11 standard */ > #define IEEE80211_RATE_MAXSIZE 15 /* max rates we'll handle */ >+#define IEEE80211_SANITISE_RATESIZE(_rsz) \ >+ ((_rsz > IEEE80211_RATE_MAXSIZE) ? IEEE80211_RATE_MAXSIZE : _rsz) > > struct ieee80211_rateset { > u_int8_t rs_nrates; >Index: madwifi-0.9.3.2/net80211/ieee80211_scan_sta.c >=================================================================== >--- madwifi-0.9.3.2.orig/net80211/ieee80211_scan_sta.c >+++ madwifi-0.9.3.2/net80211/ieee80211_scan_sta.c >@@ -229,22 +229,23 @@ sta_add(struct ieee80211_scan_state *ss, > IEEE80211_ADDR_COPY(se->base.se_macaddr, macaddr); > TAILQ_INSERT_TAIL(&st->st_entry, se, se_list); > LIST_INSERT_HEAD(&st->st_hash[hash], se, se_hash); >+ > found: > ise = &se->base; >+ > /* XXX ap beaconing multiple ssid w/ same bssid */ > if (sp->ssid[1] != 0 && > (ISPROBE(subtype) || ise->se_ssid[1] == 0)) > memcpy(ise->se_ssid, sp->ssid, 2 + sp->ssid[1]); >- KASSERT(sp->rates[1] <= IEEE80211_RATE_MAXSIZE, >- ("rate set too large: %u", sp->rates[1])); >- memcpy(ise->se_rates, sp->rates, 2 + sp->rates[1]); >+ >+ memcpy(ise->se_rates, sp->rates, >+ 2 + IEEE80211_SANITISE_RATESIZE(sp->rates[1])); > if (sp->xrates != NULL) { >- /* XXX validate xrates[1] */ >- KASSERT(sp->xrates[1] <= IEEE80211_RATE_MAXSIZE, >- ("xrate set too large: %u", sp->xrates[1])); >- memcpy(ise->se_xrates, sp->xrates, 2 + sp->xrates[1]); >+ memcpy(ise->se_xrates, sp->xrates, >+ 2 + IEEE80211_SANITISE_RATESIZE(sp->xrates[1])); > } else > ise->se_xrates[1] = 0; >+ > IEEE80211_ADDR_COPY(ise->se_bssid, wh->i_addr3); > /* > * Record rssi data using extended precision LPF filter.
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 195705
: 133482