qi-hardware/openwrt-xburst
1
0
Fork 0
mirror of git://projects.qi-hardware.com/openwrt-xburst.git synced 2025-04-21 12:27:27 +03:00
Code Activity

update madwifi to latest trunk (refcount and hal-0.9.30.13 got merged) and include a security fix that was merged in 0.9.3.1

Browse Source 
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@7309 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
nbd
2007-05-23 14:54:18 +00:00
parent 7588bd7b90
commit b556b29c45
4 changed files with 93 additions and 2250 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
package/madwifi/patches/119-secfix_PR_1335.patch Normal file
View File

@@ -0,0 +1,49 @@
diff -ur madwifi.old/net80211/ieee80211_input.c madwifi.dev/net80211/ieee80211_input.c
--- madwifi.old/net80211/ieee80211_input.c 2007-05-21 17:53:39.000000000 +0200
+++ madwifi.dev/net80211/ieee80211_input.c 2007-05-23 16:50:21.097957392 +0200
@@ -695,13 +695,31 @@
/* NB: assumes linear (i.e., non-fragmented) skb */
+ /* check length > header */
+ if (skb->len < sizeof(struct ether_header) + LLC_SNAPFRAMELEN
+ + roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2) {
+ IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
+ ni->ni_macaddr, "data", "%s", "decap error");
+ vap->iv_stats.is_rx_decap++;
+ IEEE80211_NODE_STAT(ni, rx_decap);
+ goto err;
+ }
+
/* get to the tunneled headers */
ath_hdr = (struct athl2p_tunnel_hdr *)
skb_pull(skb, sizeof(struct ether_header) + LLC_SNAPFRAMELEN);
- /* ignore invalid frames */
- if(ath_hdr == NULL)
+ eh_tmp = (struct ether_header *)
+ skb_pull(skb, roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2);
+ /* sanity check for malformed 802.3 length */
+ frame_len = ntohs(eh_tmp->ether_type);
+ if (skb->len < roundup(sizeof(struct ether_header) + frame_len, 4)) {
+ IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
+ ni->ni_macaddr, "data", "%s", "decap error");
+ vap->iv_stats.is_rx_decap++;
+ IEEE80211_NODE_STAT(ni, rx_decap);
goto err;
-
+ }
+
/* only implementing FF now. drop all others. */
if (ath_hdr->proto != ATH_L2TUNNEL_PROTO_FF) {
IEEE80211_DISCARD_MAC(vap,
@@ -714,10 +732,6 @@
}
vap->iv_stats.is_rx_ffcnt++;
- /* move past the tunneled header, with alignment */
- skb_pull(skb, roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2);
- eh_tmp = (struct ether_header *)skb->data;
-
/* ether_type must be length as FF frames are always LLC/SNAP encap'd */
frame_len = ntohs(eh_tmp->ether_type);