r294 - in /unstable/madwifi/debian: changelog patches/00list patches/10_CVE-2007-5448_sanitize_xrates.dpatch
kelmo-guest at users.alioth.debian.org
kelmo-guest at users.alioth.debian.org
Tue Oct 16 07:59:42 UTC 2007
Author: kelmo-guest
Date: Tue Oct 16 07:59:41 2007
New Revision: 294
URL: http://svn.debian.org/wsvn/pkg-madwifi/?sc=1&rev=294
Log:
(Closes: #446090, #446039)
* Add 10_CVE-2007-5448_sanitize_xrates.dpatch to fix CVE-2007-5448:
- DoS vulnerability via kassert from poor checking of xrate element in
scan results (Closes: #446824)
Added:
unstable/madwifi/debian/patches/10_CVE-2007-5448_sanitize_xrates.dpatch
Modified:
unstable/madwifi/debian/changelog
unstable/madwifi/debian/patches/00list
Modified: unstable/madwifi/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-madwifi/unstable/madwifi/debian/changelog?rev=294&op=diff
==============================================================================
--- unstable/madwifi/debian/changelog (original)
+++ unstable/madwifi/debian/changelog Tue Oct 16 07:59:41 2007
@@ -1,8 +1,12 @@
madwifi (1:0.9.3.2-2) unstable; urgency=low
* Add fix_2.6.23_include_fs_h.dpatch for linux 2.6.23 compatibility.
-
- -- Kel Modderman <kel at otaku42.de> Thu, 30 Aug 2007 10:16:48 +1000
+ (Closes: #446090, #446039)
+ * Add 10_CVE-2007-5448_sanitize_xrates.dpatch to fix CVE-2007-5448:
+ - DoS vulnerability via kassert from poor checking of xrate element in
+ scan results (Closes: #446824)
+
+ -- Kel Modderman <kel at otaku42.de> Tue, 16 Oct 2007 16:46:22 +1000
madwifi (1:0.9.3.2-1) unstable; urgency=low
Modified: unstable/madwifi/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-madwifi/unstable/madwifi/debian/patches/00list?rev=294&op=diff
==============================================================================
--- unstable/madwifi/debian/patches/00list (original)
+++ unstable/madwifi/debian/patches/00list Tue Oct 16 07:59:41 2007
@@ -1,2 +1,3 @@
+10_CVE-2007-5448_sanitize_xrates
11_mips-compile-flags-fix
12_fix-2.6.23-include-fs-h
Added: unstable/madwifi/debian/patches/10_CVE-2007-5448_sanitize_xrates.dpatch
URL: http://svn.debian.org/wsvn/pkg-madwifi/unstable/madwifi/debian/patches/10_CVE-2007-5448_sanitize_xrates.dpatch?rev=294&op=file
==============================================================================
--- unstable/madwifi/debian/patches/10_CVE-2007-5448_sanitize_xrates.dpatch (added)
+++ unstable/madwifi/debian/patches/10_CVE-2007-5448_sanitize_xrates.dpatch Tue Oct 16 07:59:41 2007
@@ -1,0 +1,42 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-5448_sanitize_xrates.dpatch by Kel Modderman <kel at otaku42.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix CVE-2007-5448
+## DP: http://madwifi.org/changeset/2724
+
+ at DPATCH@
+diff -Nrup madwifi-0.9.3.2.orig/net80211/_ieee80211.h madwifi-0.9.3.2/net80211/_ieee80211.h
+--- madwifi-0.9.3.2.orig/net80211/_ieee80211.h 2007-07-26 22:58:47.000000000 +1000
++++ madwifi-0.9.3.2/net80211/_ieee80211.h 2007-10-16 16:35:10.000000000 +1000
+@@ -225,6 +225,8 @@ struct ieee80211_channel {
+ */
+ #define IEEE80211_RATE_SIZE 8 /* 802.11 standard */
+ #define IEEE80211_RATE_MAXSIZE 15 /* max rates we'll handle */
++#define IEEE80211_SANITISE_RATESIZE(_rsz) \
++ ((_rsz > IEEE80211_RATE_MAXSIZE) ? IEEE80211_RATE_MAXSIZE : _rsz)
+
+ struct ieee80211_rateset {
+ u_int8_t rs_nrates;
+diff -Nrup madwifi-0.9.3.2.orig/net80211/ieee80211_scan_sta.c madwifi-0.9.3.2/net80211/ieee80211_scan_sta.c
+--- madwifi-0.9.3.2.orig/net80211/ieee80211_scan_sta.c 2007-07-26 01:14:52.000000000 +1000
++++ madwifi-0.9.3.2/net80211/ieee80211_scan_sta.c 2007-10-16 17:12:51.000000000 +1000
+@@ -235,14 +235,11 @@ found:
+ if (sp->ssid[1] != 0 &&
+ (ISPROBE(subtype) || ise->se_ssid[1] == 0))
+ memcpy(ise->se_ssid, sp->ssid, 2 + sp->ssid[1]);
+- KASSERT(sp->rates[1] <= IEEE80211_RATE_MAXSIZE,
+- ("rate set too large: %u", sp->rates[1]));
+- memcpy(ise->se_rates, sp->rates, 2 + sp->rates[1]);
++ memcpy(ise->se_rates, sp->rates,
++ 2 + IEEE80211_SANITISE_RATESIZE(sp->rates[1]));
+ if (sp->xrates != NULL) {
+- /* XXX validate xrates[1] */
+- KASSERT(sp->xrates[1] <= IEEE80211_RATE_MAXSIZE,
+- ("xrate set too large: %u", sp->xrates[1]));
+- memcpy(ise->se_xrates, sp->xrates, 2 + sp->xrates[1]);
++ memcpy(ise->se_xrates, sp->xrates,
++ 2 + IEEE80211_SANITISE_RATESIZE(sp->xrates[1]));
+ } else
+ ise->se_xrates[1] = 0;
+ IEEE80211_ADDR_COPY(ise->se_bssid, wh->i_addr3);
More information about the Pkg-madwifi-maintainers
mailing list