Changeset 1847

Show
Ignore:
Timestamp:
12/08/06 17:34:09 (2 years ago)
Author:
mrenzmann
Message:

The fix for CVE-2006-6332 in r1842 was not entirely correct. In
encode_ie() the bound check did not consider that each byte from
the IE causes two bytes to be written into buffer. That could
lead to a kernel oops, but does not allow code injection. This is
now fixed.

Due to the type of this problem it does not trigger another
urgent security bugfix release. v0.9.3 is at the door anyway.

Reported-by: Joachim Gleisner <jg@suse.de>

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • trunk/net80211/ieee80211_wireless.c

    r1846 r1847  
    15661566        bufsize -= leader_len; 
    15671567        p += leader_len; 
    1568         if (bufsize < ielen) 
    1569                 return 0; 
    1570         for (i = 0; i < ielen && bufsize > 2; i++) 
     1568        for (i = 0; i < ielen && bufsize > 2; i++) { 
    15711569                p += sprintf(p, "%02x", ie[i]); 
     1570                bufsize -= 2; 
     1571        } 
    15721572        return (i == ielen ? p - (u_int8_t *)buf : 0); 
    15731573}