1 |
Author: dsd |
2 |
Date: 2008-11-19 11:14:34 +0000 (Wed, 19 Nov 2008) |
3 |
New Revision: 1380 |
4 |
|
5 |
Added: |
6 |
genpatches-2.6/trunk/2.6.26/2400_libertas-scan-buffer-overflow.patch |
7 |
Modified: |
8 |
genpatches-2.6/trunk/2.6.26/0000_README |
9 |
Log: |
10 |
Fix libertas buffer overflow |
11 |
|
12 |
Modified: genpatches-2.6/trunk/2.6.26/0000_README |
13 |
=================================================================== |
14 |
--- genpatches-2.6/trunk/2.6.26/0000_README 2008-11-19 11:12:26 UTC (rev 1379) |
15 |
+++ genpatches-2.6/trunk/2.6.26/0000_README 2008-11-19 11:14:34 UTC (rev 1380) |
16 |
@@ -75,6 +75,10 @@ |
17 |
From: http://bugs.gentoo.org/233307 |
18 |
Desc: Fix to add UTC timestamp option |
19 |
|
20 |
+Patch: 2400_libertas-scan-buffer-overflow.patch |
21 |
+From: http://bugs.gentoo.org/247541 |
22 |
+Desc: Fix libertas buffer overflow |
23 |
+ |
24 |
Patch: 2600_evdev-compat-ioctl-force-feedback.patch |
25 |
From: http://bugs.gentoo.org/214700 |
26 |
Desc: Fix evdev force feedback in 32-bit compat mode |
27 |
|
28 |
Added: genpatches-2.6/trunk/2.6.26/2400_libertas-scan-buffer-overflow.patch |
29 |
=================================================================== |
30 |
--- genpatches-2.6/trunk/2.6.26/2400_libertas-scan-buffer-overflow.patch (rev 0) |
31 |
+++ genpatches-2.6/trunk/2.6.26/2400_libertas-scan-buffer-overflow.patch 2008-11-19 11:14:34 UTC (rev 1380) |
32 |
@@ -0,0 +1,31 @@ |
33 |
+From: Johannes Berg <johannes@××××××××××××.net> |
34 |
+Date: Wed, 29 Oct 2008 10:43:32 +0000 (+0100) |
35 |
+Subject: libertas: fix buffer overrun |
36 |
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.27.y.git;a=commitdiff_plain;h=48735d8d8bd701b1e0cd3d49c21e5e385ddcb077 |
37 |
+ |
38 |
+libertas: fix buffer overrun |
39 |
+ |
40 |
+If somebody sends an invalid beacon/probe response, that can trash the |
41 |
+whole BSS descriptor. The descriptor is, luckily, large enough so that |
42 |
+it cannot scribble past the end of it; it's well above 400 bytes long. |
43 |
+ |
44 |
+Signed-off-by: Johannes Berg <johannes@××××××××××××.net> |
45 |
+Cc: stable@××××××.org [2.6.24-2.6.27, bug present in some form since driver was added (2.6.22)] |
46 |
+Signed-off-by: John W. Linville <linville@×××××××××.com> |
47 |
+--- |
48 |
+ |
49 |
+diff --git a/drivers/net/wireless/libertas/scan.c b/drivers/net/wireless/libertas/scan.c |
50 |
+index 8f66903..22c4c61 100644 |
51 |
+--- a/drivers/net/wireless/libertas/scan.c |
52 |
++++ b/drivers/net/wireless/libertas/scan.c |
53 |
+@@ -598,8 +598,8 @@ static int lbs_process_bss(struct bss_descriptor *bss, |
54 |
+ |
55 |
+ switch (elem->id) { |
56 |
+ case MFIE_TYPE_SSID: |
57 |
+- bss->ssid_len = elem->len; |
58 |
+- memcpy(bss->ssid, elem->data, elem->len); |
59 |
++ bss->ssid_len = min_t(int, 32, elem->len); |
60 |
++ memcpy(bss->ssid, elem->data, bss->ssid_len); |
61 |
+ lbs_deb_scan("got SSID IE: '%s', len %u\n", |
62 |
+ escape_essid(bss->ssid, bss->ssid_len), |
63 |
+ bss->ssid_len); |