git.karo-electronics.de Git - karo-tx-linux.git/commit

author	John W. Linville <linville@tuxdriver.com>
	Fri, 2 Nov 2007 02:13:03 +0000 (03:13 +0100)
committer	Adrian Bunk <bunk@kernel.org>
	Fri, 2 Nov 2007 02:13:03 +0000 (03:13 +0100)
commit	c515d9db76c3fe82243677ecfbff559d05f9e852
tree	de186ec1cb7aa24a42c0ff85b3da3c09ba820959	tree \| snapshot
parent	d33e2f267f57e415d8d3fdca375652eb5767e908	commit \| diff

[IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)

Reported by Chris Evans <scarybeasts@gmail.com>:

> The summary is that an evil 80211 frame can crash out a victim's
> machine. It only applies to drivers using the 80211 wireless code, and
> only then to certain drivers (and even then depends on a card's
> firmware not dropping a dubious packet). I must confess I'm not
> keeping track of Linux wireless support, and the different protocol
> stacks etc.
>
> Details are as follows:
>
> ieee80211_rx() does not explicitly check that "skb->len >= hdrlen".
> There are other skb->len checks, but not enough to prevent a subtle
> off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag
> set.
>
> This leads to integer underflow and crash here:
>
> if (frag != 0)
> flen -= hdrlen;
>
> (flen is subsequently used as a memcpy length parameter).

How about this?

Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>