Changeset 1842

Show
Ignore:
Timestamp:
12/07/06 14:17:50 (2 years ago)
Author:
mrenzmann
Message:

Fix buffer overflow issue that was exploitable locally and remote
for arbitrary kernel code injection. Thanks to Laurent Butti,
Jerome Raznieski and Julien Tinnes for reporting the issue.

Signed-off-by: Laurent BUTTI <laurent.butti@francetelecom.com>
Signed-off-by: Julien TINNES <julien.tinnes@francetelecom.com>

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • trunk/net80211/ieee80211_wireless.c

    r1821 r1842  
    15661566        bufsize -= leader_len; 
    15671567        p += leader_len; 
     1568        if (bufsize < ielen) 
     1569                return 0; 
    15681570        for (i = 0; i < ielen && bufsize > 2; i++) 
    15691571                p += sprintf(p, "%02x", ie[i]); 
     
    15881590        char *last_ev; 
    15891591#if WIRELESS_EXT > 14 
    1590         char buf[64 * 2 + 30]; 
     1592#define MAX_IE_LENGTH 64 * 2 + 30 
     1593        char buf[MAX_IE_LENGTH]; 
    15911594#ifndef IWEVGENIE 
    15921595        static const char rsn_leader[] = "rsn_ie="; 
     
    17361739#ifdef IWEVGENIE 
    17371740                memset(&iwe, 0, sizeof(iwe)); 
     1741                if ((se->se_rsn_ie[1] + 2) > MAX_IE_LENGTH) 
     1742                        return E2BIG; 
    17381743                memcpy(buf, se->se_rsn_ie, se->se_rsn_ie[1] + 2); 
    17391744                iwe.cmd = IWEVGENIE; 
     
    17611766#ifdef IWEVGENIE 
    17621767                memset(&iwe, 0, sizeof(iwe)); 
     1768                if ((se->se_wpa_ie[1] + 2) > MAX_IE_LENGTH) 
     1769                        return E2BIG; 
    17631770                memcpy(buf, se->se_wpa_ie, se->se_wpa_ie[1] + 2); 
    17641771                iwe.cmd = IWEVGENIE;