add an update for the not-entirely-correct security fix of madwifi (see [5720], madwi...
authorFelix Fietkau <nbd@openwrt.org>
Fri, 8 Dec 2006 16:48:43 +0000 (16:48 +0000)
committerFelix Fietkau <nbd@openwrt.org>
Fri, 8 Dec 2006 16:48:43 +0000 (16:48 +0000)
SVN-Revision: 5726

package/madwifi/patches/105-security_patch_fix.patch [new file with mode: 0644]

diff --git a/package/madwifi/patches/105-security_patch_fix.patch b/package/madwifi/patches/105-security_patch_fix.patch
new file mode 100644 (file)
index 0000000..df0ea4d
--- /dev/null
@@ -0,0 +1,27 @@
+The fix for CVE-2006-6332 in r1842 was not entirely correct. In\r
+encode_ie() the bound check did not consider that each byte from\r
+the IE causes two bytes to be written into buffer. That could\r
+lead to a kernel oops, but does not allow code injection. This is\r
+now fixed.\r
+\r
+Due to the type of this problem it does not trigger another\r
+urgent security bugfix release. v0.9.3 is at the door anyway.\r
+\r
+Reported-by: Joachim Gleisner <jg@suse.de> \r
+\r
+Index: trunk/net80211/ieee80211_wireless.c\r
+===================================================================\r
+--- trunk/net80211/ieee80211_wireless.c (revision 1846)\r
++++ trunk/net80211/ieee80211_wireless.c (revision 1847)\r
+@@ -1566,8 +1566,8 @@\r
+       bufsize -= leader_len;\r
+       p += leader_len;\r
+-      if (bufsize < ielen)\r
+-              return 0;\r
+-      for (i = 0; i < ielen && bufsize > 2; i++)\r
++      for (i = 0; i < ielen && bufsize > 2; i++) {\r
+               p += sprintf(p, "%02x", ie[i]);\r
++              bufsize -= 2;\r
++      }\r
+       return (i == ielen ? p - (u_int8_t *)buf : 0);\r
+ }\r