mirror of
git://projects.qi-hardware.com/openwrt-xburst.git
synced 2024-12-24 23:35:32 +02:00
fix file encoding of madwifi security patch (trac gave me CRLF)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@5744 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
parent
3319f184b2
commit
87ab1e6c66
@ -1,27 +1,27 @@
|
||||
The fix for CVE-2006-6332 in r1842 was not entirely correct. In
|
||||
encode_ie() the bound check did not consider that each byte from
|
||||
the IE causes two bytes to be written into buffer. That could
|
||||
lead to a kernel oops, but does not allow code injection. This is
|
||||
now fixed.
|
||||
|
||||
Due to the type of this problem it does not trigger another
|
||||
urgent security bugfix release. v0.9.3 is at the door anyway.
|
||||
|
||||
Reported-by: Joachim Gleisner <jg@suse.de>
|
||||
|
||||
Index: trunk/net80211/ieee80211_wireless.c
|
||||
===================================================================
|
||||
--- trunk/net80211/ieee80211_wireless.c (revision 1846)
|
||||
+++ trunk/net80211/ieee80211_wireless.c (revision 1847)
|
||||
@@ -1566,8 +1566,8 @@
|
||||
bufsize -= leader_len;
|
||||
p += leader_len;
|
||||
- if (bufsize < ielen)
|
||||
- return 0;
|
||||
- for (i = 0; i < ielen && bufsize > 2; i++)
|
||||
+ for (i = 0; i < ielen && bufsize > 2; i++) {
|
||||
p += sprintf(p, "%02x", ie[i]);
|
||||
+ bufsize -= 2;
|
||||
+ }
|
||||
return (i == ielen ? p - (u_int8_t *)buf : 0);
|
||||
}
|
||||
The fix for CVE-2006-6332 in r1842 was not entirely correct. In
|
||||
encode_ie() the bound check did not consider that each byte from
|
||||
the IE causes two bytes to be written into buffer. That could
|
||||
lead to a kernel oops, but does not allow code injection. This is
|
||||
now fixed.
|
||||
|
||||
Due to the type of this problem it does not trigger another
|
||||
urgent security bugfix release. v0.9.3 is at the door anyway.
|
||||
|
||||
Reported-by: Joachim Gleisner <jg@suse.de>
|
||||
|
||||
Index: trunk/net80211/ieee80211_wireless.c
|
||||
===================================================================
|
||||
--- trunk/net80211/ieee80211_wireless.c (revision 1846)
|
||||
+++ trunk/net80211/ieee80211_wireless.c (revision 1847)
|
||||
@@ -1566,8 +1566,8 @@
|
||||
bufsize -= leader_len;
|
||||
p += leader_len;
|
||||
- if (bufsize < ielen)
|
||||
- return 0;
|
||||
- for (i = 0; i < ielen && bufsize > 2; i++)
|
||||
+ for (i = 0; i < ielen && bufsize > 2; i++) {
|
||||
p += sprintf(p, "%02x", ie[i]);
|
||||
+ bufsize -= 2;
|
||||
+ }
|
||||
return (i == ielen ? p - (u_int8_t *)buf : 0);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user