[gentoo-commits] linux-patches r1380 - genpatches-2.6/trunk/2.6.26 - gentoo-commits

From:	"Daniel Drake (dsd)" <dsd@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] linux-patches r1380 - genpatches-2.6/trunk/2.6.26
Date:	Wed, 19 Nov 2008 11:14:37
Message-Id:	`E1L2l11-0006zC-1r@stork.gentoo.org`

1

Author: dsd

2

Date: 2008-11-19 11:14:34 +0000 (Wed, 19 Nov 2008)

3

New Revision: 1380

4

5

Added:

6

   genpatches-2.6/trunk/2.6.26/2400_libertas-scan-buffer-overflow.patch

7

Modified:

8

   genpatches-2.6/trunk/2.6.26/0000_README

9

Log:

10

Fix libertas buffer overflow

11

12

Modified: genpatches-2.6/trunk/2.6.26/0000_README

13

===================================================================

14

--- genpatches-2.6/trunk/2.6.26/0000_README	2008-11-19 11:12:26 UTC (rev 1379)

15

+++ genpatches-2.6/trunk/2.6.26/0000_README	2008-11-19 11:14:34 UTC (rev 1380)

16

@@ -75,6 +75,10 @@

17

 From:	http://bugs.gentoo.org/233307

18

 Desc:	Fix to add UTC timestamp option

19

20

+Patch:	2400_libertas-scan-buffer-overflow.patch

21

+From:	http://bugs.gentoo.org/247541

22

+Desc:	Fix libertas buffer overflow

23

+

24

 Patch:	2600_evdev-compat-ioctl-force-feedback.patch

25

 From:	http://bugs.gentoo.org/214700

26

 Desc:	Fix evdev force feedback in 32-bit compat mode

27

28

Added: genpatches-2.6/trunk/2.6.26/2400_libertas-scan-buffer-overflow.patch

29

===================================================================

30

--- genpatches-2.6/trunk/2.6.26/2400_libertas-scan-buffer-overflow.patch	                        (rev 0)

31

+++ genpatches-2.6/trunk/2.6.26/2400_libertas-scan-buffer-overflow.patch	2008-11-19 11:14:34 UTC (rev 1380)

32

@@ -0,0 +1,31 @@

33

+From: Johannes Berg <johannes@××××××××××××.net>

34

+Date: Wed, 29 Oct 2008 10:43:32 +0000 (+0100)

35

+Subject: libertas: fix buffer overrun

36

+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.27.y.git;a=commitdiff_plain;h=48735d8d8bd701b1e0cd3d49c21e5e385ddcb077

37

+

38

+libertas: fix buffer overrun

39

+

40

+If somebody sends an invalid beacon/probe response, that can trash the

41

+whole BSS descriptor. The descriptor is, luckily, large enough so that

42

+it cannot scribble past the end of it; it's well above 400 bytes long.

43

+

44

+Signed-off-by: Johannes Berg <johannes@××××××××××××.net>

45

+Cc: stable@××××××.org [2.6.24-2.6.27, bug present in some form since driver was added (2.6.22)]

46

+Signed-off-by: John W. Linville <linville@×××××××××.com>

47

+---

48

+

49

+diff --git a/drivers/net/wireless/libertas/scan.c b/drivers/net/wireless/libertas/scan.c

50

+index 8f66903..22c4c61 100644

51

+--- a/drivers/net/wireless/libertas/scan.c

52

++++ b/drivers/net/wireless/libertas/scan.c

53

+@@ -598,8 +598,8 @@ static int lbs_process_bss(struct bss_descriptor *bss,

54

+

55

+ 		switch (elem->id) {

56

+ 		case MFIE_TYPE_SSID:

57

+-			bss->ssid_len = elem->len;

58

+-			memcpy(bss->ssid, elem->data, elem->len);

59

++			bss->ssid_len = min_t(int, 32, elem->len);

60

++			memcpy(bss->ssid, elem->data, bss->ssid_len);

61

+ 			lbs_deb_scan("got SSID IE: '%s', len %u\n",

62

+ 			             escape_essid(bss->ssid, bss->ssid_len),

63

+ 			             bss->ssid_len);

1	Author: dsd
2	Date: 2008-11-19 11:14:34 +0000 (Wed, 19 Nov 2008)
3	New Revision: 1380
4
5	Added:
6	genpatches-2.6/trunk/2.6.26/2400_libertas-scan-buffer-overflow.patch
7	Modified:
8	genpatches-2.6/trunk/2.6.26/0000_README
9	Log:
10	Fix libertas buffer overflow
11
12	Modified: genpatches-2.6/trunk/2.6.26/0000_README
13	===================================================================
14	--- genpatches-2.6/trunk/2.6.26/0000_README 2008-11-19 11:12:26 UTC (rev 1379)
15	+++ genpatches-2.6/trunk/2.6.26/0000_README 2008-11-19 11:14:34 UTC (rev 1380)
16	@@ -75,6 +75,10 @@
17	From: http://bugs.gentoo.org/233307
18	Desc: Fix to add UTC timestamp option
19
20	+Patch: 2400_libertas-scan-buffer-overflow.patch
21	+From: http://bugs.gentoo.org/247541
22	+Desc: Fix libertas buffer overflow
23	+
24	Patch: 2600_evdev-compat-ioctl-force-feedback.patch
25	From: http://bugs.gentoo.org/214700
26	Desc: Fix evdev force feedback in 32-bit compat mode
27
28	Added: genpatches-2.6/trunk/2.6.26/2400_libertas-scan-buffer-overflow.patch
29	===================================================================
30	--- genpatches-2.6/trunk/2.6.26/2400_libertas-scan-buffer-overflow.patch (rev 0)
31	+++ genpatches-2.6/trunk/2.6.26/2400_libertas-scan-buffer-overflow.patch 2008-11-19 11:14:34 UTC (rev 1380)
32	@@ -0,0 +1,31 @@
33	+From: Johannes Berg <johannes@××××××××××××.net>
34	+Date: Wed, 29 Oct 2008 10:43:32 +0000 (+0100)
35	+Subject: libertas: fix buffer overrun
36	+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.27.y.git;a=commitdiff_plain;h=48735d8d8bd701b1e0cd3d49c21e5e385ddcb077
37	+
38	+libertas: fix buffer overrun
39	+
40	+If somebody sends an invalid beacon/probe response, that can trash the
41	+whole BSS descriptor. The descriptor is, luckily, large enough so that
42	+it cannot scribble past the end of it; it's well above 400 bytes long.
43	+
44	+Signed-off-by: Johannes Berg <johannes@××××××××××××.net>
45	+Cc: stable@××××××.org [2.6.24-2.6.27, bug present in some form since driver was added (2.6.22)]
46	+Signed-off-by: John W. Linville <linville@×××××××××.com>
47	+---
48	+
49	+diff --git a/drivers/net/wireless/libertas/scan.c b/drivers/net/wireless/libertas/scan.c
50	+index 8f66903..22c4c61 100644
51	+--- a/drivers/net/wireless/libertas/scan.c
52	++++ b/drivers/net/wireless/libertas/scan.c
53	+@@ -598,8 +598,8 @@ static int lbs_process_bss(struct bss_descriptor *bss,
54	+
55	+ switch (elem->id) {
56	+ case MFIE_TYPE_SSID:
57	+- bss->ssid_len = elem->len;
58	+- memcpy(bss->ssid, elem->data, elem->len);
59	++ bss->ssid_len = min_t(int, 32, elem->len);
60	++ memcpy(bss->ssid, elem->data, bss->ssid_len);
61	+ lbs_deb_scan("got SSID IE: '%s', len %u\n",
62	+ escape_essid(bss->ssid, bss->ssid_len),
63	+ bss->ssid_len);

Gentoo Archives: gentoo-commits