This is a note to let you know that I've just added the patch titled
radiotap: fix bitmap-end-finding buffer overrun
to the 3.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
radiotap-fix-bitmap-end-finding-buffer-overrun.patch
and it can be found in the queue-3.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From bd02cd2549cfcdfc57cb5ce57ffc3feb94f70575 Mon Sep 17 00:00:00 2001
From: Johannes Berg <[email protected]>
Date: Mon, 16 Dec 2013 12:04:36 +0100
Subject: radiotap: fix bitmap-end-finding buffer overrun
From: Johannes Berg <[email protected]>
commit bd02cd2549cfcdfc57cb5ce57ffc3feb94f70575 upstream.
Evan Huus found (by fuzzing in wireshark) that the radiotap
iterator code can access beyond the length of the buffer if
the first bitmap claims an extension but then there's no
data at all. Fix this.
Reported-by: Evan Huus <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/wireless/radiotap.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/wireless/radiotap.c
+++ b/net/wireless/radiotap.c
@@ -124,6 +124,10 @@ int ieee80211_radiotap_iterator_init(
/* find payload start allowing for extended bitmap(s) */
if (iterator->_bitmap_shifter & (1<<IEEE80211_RADIOTAP_EXT)) {
+ if ((unsigned long)iterator->_arg -
+ (unsigned long)iterator->_rtheader + sizeof(uint32_t) >
+ (unsigned long)iterator->_max_length)
+ return -EINVAL;
while (get_unaligned_le32(iterator->_arg) &
(1 << IEEE80211_RADIOTAP_EXT)) {
iterator->_arg += sizeof(uint32_t);
Patches currently in stable-queue which might be from [email protected]
are
queue-3.10/radiotap-fix-bitmap-end-finding-buffer-overrun.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
