X-Git-Url: http://git.rohieb.name/openwrt.git/blobdiff_plain/bcaf7a306aa5b2582875551066eac708bf069ffe..eacd5dbffae57f6e167b6ef2c288730e2a1175c4:/package/madwifi/patches/105-security_patch_fix.patch?ds=inline diff --git a/package/madwifi/patches/105-security_patch_fix.patch b/package/madwifi/patches/105-security_patch_fix.patch index df0ea4d49..96dc17ac6 100644 --- a/package/madwifi/patches/105-security_patch_fix.patch +++ b/package/madwifi/patches/105-security_patch_fix.patch @@ -1,27 +1,27 @@ -The fix for CVE-2006-6332 in r1842 was not entirely correct. In -encode_ie() the bound check did not consider that each byte from -the IE causes two bytes to be written into buffer. That could -lead to a kernel oops, but does not allow code injection. This is -now fixed. - -Due to the type of this problem it does not trigger another -urgent security bugfix release. v0.9.3 is at the door anyway. - -Reported-by: Joachim Gleisner - -Index: trunk/net80211/ieee80211_wireless.c -=================================================================== ---- trunk/net80211/ieee80211_wireless.c (revision 1846) -+++ trunk/net80211/ieee80211_wireless.c (revision 1847) -@@ -1566,8 +1566,8 @@ - bufsize -= leader_len; - p += leader_len; -- if (bufsize < ielen) -- return 0; -- for (i = 0; i < ielen && bufsize > 2; i++) -+ for (i = 0; i < ielen && bufsize > 2; i++) { - p += sprintf(p, "%02x", ie[i]); -+ bufsize -= 2; -+ } - return (i == ielen ? p - (u_int8_t *)buf : 0); - } +The fix for CVE-2006-6332 in r1842 was not entirely correct. In +encode_ie() the bound check did not consider that each byte from +the IE causes two bytes to be written into buffer. That could +lead to a kernel oops, but does not allow code injection. This is +now fixed. + +Due to the type of this problem it does not trigger another +urgent security bugfix release. v0.9.3 is at the door anyway. + +Reported-by: Joachim Gleisner + +Index: trunk/net80211/ieee80211_wireless.c +=================================================================== +--- trunk/net80211/ieee80211_wireless.c (revision 1846) ++++ trunk/net80211/ieee80211_wireless.c (revision 1847) +@@ -1566,8 +1566,8 @@ + bufsize -= leader_len; + p += leader_len; +- if (bufsize < ielen) +- return 0; +- for (i = 0; i < ielen && bufsize > 2; i++) ++ for (i = 0; i < ielen && bufsize > 2; i++) { + p += sprintf(p, "%02x", ie[i]); ++ bufsize -= 2; ++ } + return (i == ielen ? p - (u_int8_t *)buf : 0); + }