disable debugging stuff in madwifi - saves precious flash space :)
[openwrt.git] / package / madwifi / patches / 105-security_patch_fix.patch
1 The fix for CVE-2006-6332 in r1842 was not entirely correct. In
2 encode_ie() the bound check did not consider that each byte from
3 the IE causes two bytes to be written into buffer. That could
4 lead to a kernel oops, but does not allow code injection. This is
5 now fixed.
6
7 Due to the type of this problem it does not trigger another
8 urgent security bugfix release. v0.9.3 is at the door anyway.
9
10 Reported-by: Joachim Gleisner <jg@suse.de>
11
12 Index: trunk/net80211/ieee80211_wireless.c
13 ===================================================================
14 --- trunk/net80211/ieee80211_wireless.c (revision 1846)
15 +++ trunk/net80211/ieee80211_wireless.c (revision 1847)
16 @@ -1566,8 +1566,8 @@
17 bufsize -= leader_len;
18 p += leader_len;
19 - if (bufsize < ielen)
20 - return 0;
21 - for (i = 0; i < ielen && bufsize > 2; i++)
22 + for (i = 0; i < ielen && bufsize > 2; i++) {
23 p += sprintf(p, "%02x", ie[i]);
24 + bufsize -= 2;
25 + }
26 return (i == ielen ? p - (u_int8_t *)buf : 0);
27 }
This page took 0.040202 seconds and 5 git commands to generate.