diff options
| author | John W. Linville <linville@tuxdriver.com> | 2007-10-02 04:03:54 (GMT) |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2007-10-02 04:03:54 (GMT) |
| commit | 04045f98e0457aba7d4e6736f37eed189c48a5f7 (patch) | |
| tree | c7b927f223e6648885ef6fc3a60d073df883ef82 /COPYING | |
| parent | 9b42c336d06411e6463949d2dac63949f66ff70b (diff) | |
| download | linux-04045f98e0457aba7d4e6736f37eed189c48a5f7.tar.xz | |
[IEEE80211]: avoid integer underflow for runt rx frames
Reported by Chris Evans <scarybeasts@gmail.com>:
> The summary is that an evil 80211 frame can crash out a victim's
> machine. It only applies to drivers using the 80211 wireless code, and
> only then to certain drivers (and even then depends on a card's
> firmware not dropping a dubious packet). I must confess I'm not
> keeping track of Linux wireless support, and the different protocol
> stacks etc.
>
> Details are as follows:
>
> ieee80211_rx() does not explicitly check that "skb->len >= hdrlen".
> There are other skb->len checks, but not enough to prevent a subtle
> off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag
> set.
>
> This leads to integer underflow and crash here:
>
> if (frag != 0)
> flen -= hdrlen;
>
> (flen is subsequently used as a memcpy length parameter).
How about this?
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'COPYING')
0 files changed, 0 insertions, 0 deletions