Changeset 2749

Timestamp:

10/16/07 10:58:14 (1 year ago)

Author:

kelmo

Message:

Fix CVE-2007-5448:

| Madwifi 0.9.3.2 and earlier allows remote attackers to cause a denial
| of service (panic) via a beacon frame with a large length value in the
| extended supported rates (xrates) element, which triggers an assertion
| error, related to net80211/ieee80211_scan_ap.c and
| net80211/ieee80211_scan_sta.c.

One interesting fact is that net80211/ieee80211_scan_ap.c is not prone to
this vulnerability in any of our releases. r2724 is the first revision
where net80211/ieee80211_scan_ap.c is vulnerable.

Reference changeset: r2724

Files:

• madwifi/releases/0.9.3/net80211/_ieee80211.h (modified) (1 diff)
• madwifi/releases/0.9.3/net80211/ieee80211_scan_sta.c (modified) (1 diff)

madwifi/releases/0.9.3/net80211/_ieee80211.h

@@ -226 +226 @@
-#define IEEE80211_RATE_SIZE     8               /* 802.11 standard */
-#define IEEE80211_RATE_MAXSIZE  15              /* max rates we'll handle */
+#define IEEE80211_SANITISE_RATESIZE(_rsz) \
+        ((_rsz > IEEE80211_RATE_MAXSIZE) ? IEEE80211_RATE_MAXSIZE : _rsz)
-
-struct ieee80211_rateset {

madwifi/releases/0.9.3/net80211/ieee80211_scan_sta.c

@@ -236 +236 @@
-            (ISPROBE(subtype) || ise->se_ssid[1] == 0))
-                memcpy(ise->se_ssid, sp->ssid, 2 + sp->ssid[1]);
-
-
-
+
+
-        if (sp->xrates != NULL) {
-
-
-
-
+
+
-        } else
-                ise->se_xrates[1] = 0;