r294 - in /unstable/madwifi/debian: changelog patches/00list patches/10_CVE-2007-5448_sanitize_xrates.dpatch

[kelmo-guest at users.alioth.debian.org]

Author: kelmo-guest
Date: Tue Oct 16 07:59:41 2007
New Revision: 294

URL: http://svn.debian.org/wsvn/pkg-madwifi/?sc=1&rev=294
Log:
  (Closes: #446090, #446039)
* Add 10_CVE-2007-5448_sanitize_xrates.dpatch to fix CVE-2007-5448:
  - DoS vulnerability via kassert from poor checking of xrate element in
    scan results (Closes: #446824)

Added:
    unstable/madwifi/debian/patches/10_CVE-2007-5448_sanitize_xrates.dpatch
Modified:
    unstable/madwifi/debian/changelog
    unstable/madwifi/debian/patches/00list

Modified: unstable/madwifi/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-madwifi/unstable/madwifi/debian/changelog?rev=294&op=diff
==============================================================================
--- unstable/madwifi/debian/changelog (original)
+++ unstable/madwifi/debian/changelog Tue Oct 16 07:59:41 2007
@@ -1,8 +1,12 @@
 madwifi (1:0.9.3.2-2) unstable; urgency=low
 
   * Add fix_2.6.23_include_fs_h.dpatch for linux 2.6.23 compatibility.
-
- -- Kel Modderman <kel at otaku42.de>  Thu, 30 Aug 2007 10:16:48 +1000
+    (Closes: #446090, #446039)
+  * Add 10_CVE-2007-5448_sanitize_xrates.dpatch to fix CVE-2007-5448:
+    - DoS vulnerability via kassert from poor checking of xrate element in
+      scan results (Closes: #446824)
+
+ -- Kel Modderman <kel at otaku42.de>  Tue, 16 Oct 2007 16:46:22 +1000
 
 madwifi (1:0.9.3.2-1) unstable; urgency=low
 

Modified: unstable/madwifi/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-madwifi/unstable/madwifi/debian/patches/00list?rev=294&op=diff
==============================================================================
--- unstable/madwifi/debian/patches/00list (original)
+++ unstable/madwifi/debian/patches/00list Tue Oct 16 07:59:41 2007
@@ -1,2 +1,3 @@
+10_CVE-2007-5448_sanitize_xrates
 11_mips-compile-flags-fix
 12_fix-2.6.23-include-fs-h

Added: unstable/madwifi/debian/patches/10_CVE-2007-5448_sanitize_xrates.dpatch
URL: http://svn.debian.org/wsvn/pkg-madwifi/unstable/madwifi/debian/patches/10_CVE-2007-5448_sanitize_xrates.dpatch?rev=294&op=file
==============================================================================
--- unstable/madwifi/debian/patches/10_CVE-2007-5448_sanitize_xrates.dpatch (added)
+++ unstable/madwifi/debian/patches/10_CVE-2007-5448_sanitize_xrates.dpatch Tue Oct 16 07:59:41 2007
@@ -1,0 +1,42 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-5448_sanitize_xrates.dpatch by Kel Modderman <kel at otaku42.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix CVE-2007-5448
+## DP: http://madwifi.org/changeset/2724
+
+ at DPATCH@
+diff -Nrup madwifi-0.9.3.2.orig/net80211/_ieee80211.h madwifi-0.9.3.2/net80211/_ieee80211.h
+--- madwifi-0.9.3.2.orig/net80211/_ieee80211.h	2007-07-26 22:58:47.000000000 +1000
++++ madwifi-0.9.3.2/net80211/_ieee80211.h	2007-10-16 16:35:10.000000000 +1000
+@@ -225,6 +225,8 @@ struct ieee80211_channel {
+  */
+ #define	IEEE80211_RATE_SIZE	8		/* 802.11 standard */
+ #define	IEEE80211_RATE_MAXSIZE	15		/* max rates we'll handle */
++#define	IEEE80211_SANITISE_RATESIZE(_rsz) \
++	((_rsz > IEEE80211_RATE_MAXSIZE) ? IEEE80211_RATE_MAXSIZE : _rsz)
+ 
+ struct ieee80211_rateset {
+ 	u_int8_t rs_nrates;
+diff -Nrup madwifi-0.9.3.2.orig/net80211/ieee80211_scan_sta.c madwifi-0.9.3.2/net80211/ieee80211_scan_sta.c
+--- madwifi-0.9.3.2.orig/net80211/ieee80211_scan_sta.c	2007-07-26 01:14:52.000000000 +1000
++++ madwifi-0.9.3.2/net80211/ieee80211_scan_sta.c	2007-10-16 17:12:51.000000000 +1000
+@@ -235,14 +235,11 @@ found:
+ 	if (sp->ssid[1] != 0 &&
+ 	    (ISPROBE(subtype) || ise->se_ssid[1] == 0))
+ 		memcpy(ise->se_ssid, sp->ssid, 2 + sp->ssid[1]);
+-	KASSERT(sp->rates[1] <= IEEE80211_RATE_MAXSIZE,
+-		("rate set too large: %u", sp->rates[1]));
+-	memcpy(ise->se_rates, sp->rates, 2 + sp->rates[1]);
++	memcpy(ise->se_rates, sp->rates, 
++			2 + IEEE80211_SANITISE_RATESIZE(sp->rates[1]));
+ 	if (sp->xrates != NULL) {
+-		/* XXX validate xrates[1] */
+-		KASSERT(sp->xrates[1] <= IEEE80211_RATE_MAXSIZE,
+-			("xrate set too large: %u", sp->xrates[1]));
+-		memcpy(ise->se_xrates, sp->xrates, 2 + sp->xrates[1]);
++		memcpy(ise->se_xrates, sp->xrates, 
++				2 + IEEE80211_SANITISE_RATESIZE(sp->xrates[1]));
+ 	} else
+ 		ise->se_xrates[1] = 0;
+ 	IEEE80211_ADDR_COPY(ise->se_bssid, wh->i_addr3);