Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 167023 Details for
Bug 239371
net-wireless/ndiswrapper <1.53-r1 Multiple buffer overflows (CVE-2008-4395)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
ndiswrapper-CVE-2008-4395.patch
ndiswrapper-CVE-2008-4395.patch (text/plain), 2.96 KB, created by
Robert Buchholz (RETIRED)
on 2008-10-02 20:29:23 UTC
(
hide
)
Description:
ndiswrapper-CVE-2008-4395.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2008-10-02 20:29:23 UTC
Size:
2.96 KB
patch
obsolete
>diff --git a/ubuntu/ndiswrapper/iw_ndis.c b/ubuntu/ndiswrapper/iw_ndis.c >index b114ef6..01d3751 100644 >--- a/ubuntu/ndiswrapper/iw_ndis.c >+++ b/ubuntu/ndiswrapper/iw_ndis.c >@@ -47,12 +47,7 @@ int set_essid(struct ndis_device *wnd, const char *ssid, int ssid_len) > req.length = ssid_len; > if (ssid_len) > memcpy(&req.essid, ssid, ssid_len); >- DBG_BLOCK(2) { >- char buf[NDIS_ESSID_MAX_SIZE+1]; >- memcpy(buf, ssid, ssid_len); >- buf[ssid_len] = 0; >- TRACE2("ssid = '%s'", buf); >- } >+ TRACE2("ssid = '%.*s'", ssid_len, ssid); > > res = mp_set(wnd, OID_802_11_SSID, &req, sizeof(req)); > if (res) { >@@ -125,7 +120,6 @@ static int iw_get_essid(struct net_device *dev, struct iw_request_info *info, > EXIT2(return -EOPNOTSUPP); > } > memcpy(extra, req.essid, req.length); >- extra[req.length] = 0; > if (req.length > 0) > wrqu->essid.flags = 1; > else >@@ -1000,7 +994,7 @@ static int iw_set_nick(struct net_device *dev, struct iw_request_info *info, > > if (wrqu->data.length > IW_ESSID_MAX_SIZE || wrqu->data.length <= 0) > return -EINVAL; >- memset(wnd->nick, 0, sizeof(wnd->nick)); >+ wnd->nick_len = wrqu->data.length; > memcpy(wnd->nick, extra, wrqu->data.length); > return 0; > } >@@ -1010,7 +1004,7 @@ static int iw_get_nick(struct net_device *dev, struct iw_request_info *info, > { > struct ndis_device *wnd = netdev_priv(dev); > >- wrqu->data.length = strlen(wnd->nick); >+ wrqu->data.length = wnd->nick_len; > memcpy(extra, wnd->nick, wrqu->data.length); > return 0; > } >diff --git a/ubuntu/ndiswrapper/ndis.h b/ubuntu/ndiswrapper/ndis.h >index 27ba99e..65d6b0b 100644 >--- a/ubuntu/ndiswrapper/ndis.h >+++ b/ubuntu/ndiswrapper/ndis.h >@@ -878,6 +878,7 @@ struct ndis_device { > unsigned long scan_timestamp; > struct encr_info encr_info; > char nick[IW_ESSID_MAX_SIZE]; >+ size_t nick_len; > struct ndis_essid essid; > struct auth_encr_capa capa; > enum ndis_infrastructure_mode infrastructure_mode; >diff --git a/ubuntu/ndiswrapper/proc.c b/ubuntu/ndiswrapper/proc.c >index fd5f433..6feff23 100644 >--- a/ubuntu/ndiswrapper/proc.c >+++ b/ubuntu/ndiswrapper/proc.c >@@ -97,10 +97,8 @@ static int procfs_read_ndis_encr(char *page, char **start, off_t off, > p += sprintf(p, "\n"); > > res = mp_query(wnd, OID_802_11_SSID, &essid, sizeof(essid)); >- if (!res) { >- essid.essid[essid.length] = '\0'; >- p += sprintf(p, "essid=%s\n", essid.essid); >- } >+ if (!res) >+ p += sprintf(p, "essid=%.*s\n", essid.length, essid.essid); > res = mp_query_int(wnd, OID_802_11_ENCRYPTION_STATUS, &encr_status); > if (!res) { > typeof(&wnd->encr_info.keys[0]) tx_key; >diff --git a/ubuntu/ndiswrapper/wrapndis.c b/ubuntu/ndiswrapper/wrapndis.c >index f6e5d46..35ef1cd 100644 >--- a/ubuntu/ndiswrapper/wrapndis.c >+++ b/ubuntu/ndiswrapper/wrapndis.c >@@ -2028,7 +2028,7 @@ static wstdcall NTSTATUS NdisAddDevice(struct driver_object *drv_obj, > wnd->attributes = 0; > wnd->dma_map_count = 0; > wnd->dma_map_addr = NULL; >- wnd->nick[0] = 0; >+ wnd->nick_len = 0; > init_timer(&wnd->hangcheck_timer); > wnd->scan_timestamp = 0; > init_timer(&wnd->iw_stats_timer);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=167023">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 239371
: 167023 |
167029
