qi-hardware/openwrt-xburst
1
0
Fork 0
mirror of git://projects.qi-hardware.com/openwrt-xburst.git synced 2024-11-24 03:01:55 +02:00
Code

fix file encoding of madwifi security patch (trac gave me CRLF)

Browse Source 
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@5744 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
nbd 2006-12-09 21:38:50 +00:00
parent 3319f184b2
commit 87ab1e6c66
1 changed files with 27 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
package/madwifi/patches/105-security_patch_fix.patch
View File

@ -1,27 +1,27 @@
The fix for CVE-2006-6332 in r1842 was not entirely correct. In
encode_ie() the bound check did not consider that each byte from
the IE causes two bytes to be written into buffer. That could
lead to a kernel oops, but does not allow code injection. This is
now fixed.
Due to the type of this problem it does not trigger another
urgent security bugfix release. v0.9.3 is at the door anyway.
Reported-by: Joachim Gleisner <jg@suse.de>
Index: trunk/net80211/ieee80211_wireless.c
===================================================================
--- trunk/net80211/ieee80211_wireless.c (revision 1846)
+++ trunk/net80211/ieee80211_wireless.c (revision 1847)
@@ -1566,8 +1566,8 @@
bufsize -= leader_len;
p += leader_len;
- if (bufsize < ielen)
- return 0;
- for (i = 0; i < ielen && bufsize > 2; i++)
+ for (i = 0; i < ielen && bufsize > 2; i++) {
p += sprintf(p, "%02x", ie[i]);
+ bufsize -= 2;
+ }
return (i == ielen ? p - (u_int8_t *)buf : 0);
}
The fix for CVE-2006-6332 in r1842 was not entirely correct. In
encode_ie() the bound check did not consider that each byte from
the IE causes two bytes to be written into buffer. That could
lead to a kernel oops, but does not allow code injection. This is
now fixed.
Due to the type of this problem it does not trigger another
urgent security bugfix release. v0.9.3 is at the door anyway.
Reported-by: Joachim Gleisner <jg@suse.de>
Index: trunk/net80211/ieee80211_wireless.c
===================================================================
--- trunk/net80211/ieee80211_wireless.c (revision 1846)
+++ trunk/net80211/ieee80211_wireless.c (revision 1847)
@@ -1566,8 +1566,8 @@
bufsize -= leader_len;
p += leader_len;
- if (bufsize < ielen)
- return 0;
- for (i = 0; i < ielen && bufsize > 2; i++)
+ for (i = 0; i < ielen && bufsize > 2; i++) {
p += sprintf(p, "%02x", ie[i]);
+ bufsize -= 2;
+ }
return (i == ielen ? p - (u_int8_t *)buf : 0);
}