package/madwifi/patches/105-security_patch_fix.patch

   1 The fix for CVE-2006-6332 in r1842 was not entirely correct. In
   2 encode_ie() the bound check did not consider that each byte from
   3 the IE causes two bytes to be written into buffer. That could
   4 lead to a kernel oops, but does not allow code injection. This is
   5 now fixed.
   6
   7 Due to the type of this problem it does not trigger another
   8 urgent security bugfix release. v0.9.3 is at the door anyway.
   9
  10 Reported-by: Joachim Gleisner <jg@suse.de>
  11
  12 Index: trunk/net80211/ieee80211_wireless.c
  13 ===================================================================
  14 --- trunk/net80211/ieee80211_wireless.c (revision 1846)
  15 +++ trunk/net80211/ieee80211_wireless.c (revision 1847)
  16 @@ -1566,8 +1566,8 @@
  17         bufsize -= leader_len;
  18         p += leader_len;
  19 -       if (bufsize < ielen)
  20 -               return 0;
  21 -       for (i = 0; i < ielen && bufsize > 2; i++)
  22 +       for (i = 0; i < ielen && bufsize > 2; i++) {
  23                 p += sprintf(p, "%02x", ie[i]);
  24 +               bufsize -= 2;
  25 +       }
  26         return (i == ielen ? p - (u_int8_t *)buf : 0);
  27  }