diff options
| author | John W. Linville <linville@tuxdriver.com> | 2007-11-02 03:13:03 +0100 |
|---|---|---|
| committer | Adrian Bunk <bunk@kernel.org> | 2007-11-02 03:13:03 +0100 |
| commit | c515d9db76c3fe82243677ecfbff559d05f9e852 (patch) | |
| tree | de186ec1cb7aa24a42c0ff85b3da3c09ba820959 /.gitignore | |
| parent | d33e2f267f57e415d8d3fdca375652eb5767e908 (diff) | |
[IEEE80211]: avoid integer underflow for runt rx frames (CVE-2007-4997)
Reported by Chris Evans <scarybeasts@gmail.com>:
> The summary is that an evil 80211 frame can crash out a victim's
> machine. It only applies to drivers using the 80211 wireless code, and
> only then to certain drivers (and even then depends on a card's
> firmware not dropping a dubious packet). I must confess I'm not
> keeping track of Linux wireless support, and the different protocol
> stacks etc.
>
> Details are as follows:
>
> ieee80211_rx() does not explicitly check that "skb->len >= hdrlen".
> There are other skb->len checks, but not enough to prevent a subtle
> off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag
> set.
>
> This leads to integer underflow and crash here:
>
> if (frag != 0)
> flen -= hdrlen;
>
> (flen is subsequently used as a memcpy length parameter).
How about this?
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
Diffstat (limited to '.gitignore')
0 files changed, 0 insertions, 0 deletions