[kernel] r9707 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Sun, 11 Nov 2007 14:51:30 -0800 

Author: dannf
Date: Sun Nov 11 22:51:48 2007
New Revision: 9707

Log:
* bugfix/ieee80211-underflow.patch
  [SECURITY] Fix integer overflow in ieee80211 which makes it possible
  for a malicious frame to crash a system using a driver built on top of
  the Linux 802.11 wireless code.
  See CVE-2007-4997

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/ieee80211-underflow.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/13etch5

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog      (original)
+++ dists/etch-security/linux-2.6/debian/changelog      Sun Nov 11 22:51:48 2007
@@ -6,8 +6,13 @@
     [SECURITY] Fix potential NULL pointer dereference which can lead to
     a local DoS (kernel oops)
     See CVE-2007-3104
+  * bugfix/ieee80211-underflow.patch
+    [SECURITY] Fix integer overflow in ieee80211 which makes it possible
+    for a malicious frame to crash a system using a driver built on top of
+    the Linux 802.11 wireless code.
+    See CVE-2007-4997
 
- -- dann frazier <[EMAIL PROTECTED]>  Wed, 07 Nov 2007 17:18:15 -0700
+ -- dann frazier <[EMAIL PROTECTED]>  Sun, 11 Nov 2007 15:46:51 -0700
 
 linux-2.6 (2.6.18.dfsg.1-13etch4) stable-security; urgency=high
 

Added: 
dists/etch-security/linux-2.6/debian/patches/bugfix/ieee80211-underflow.patch
==============================================================================
--- (empty file)
+++ 
dists/etch-security/linux-2.6/debian/patches/bugfix/ieee80211-underflow.patch   
    Sun Nov 11 22:51:48 2007
@@ -0,0 +1,54 @@
+From: John W. Linville <[EMAIL PROTECTED]>
+Date: Tue, 2 Oct 2007 04:03:54 +0000 (-0700)
+Subject: [IEEE80211]: avoid integer underflow for runt rx frames
+X-Git-Tag: kvm-47~34^2~42^2
+X-Git-Url: 
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Favi%2Fkvm.git;a=commitdiff_plain;h=04045f98e0457aba7d4e6736f37eed189c48a5f7
+
+[IEEE80211]: avoid integer underflow for runt rx frames
+
+Reported by Chris Evans <[EMAIL PROTECTED]>:
+
+> The summary is that an evil 80211 frame can crash out a victim's
+> machine. It only applies to drivers using the 80211 wireless code, and
+> only then to certain drivers (and even then depends on a card's
+> firmware not dropping a dubious packet). I must confess I'm not
+> keeping track of Linux wireless support, and the different protocol
+> stacks etc.
+>
+> Details are as follows:
+>
+> ieee80211_rx() does not explicitly check that "skb->len >= hdrlen".
+> There are other skb->len checks, but not enough to prevent a subtle
+> off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag
+> set.
+>
+> This leads to integer underflow and crash here:
+>
+> if (frag != 0)
+>    flen -= hdrlen;
+>
+> (flen is subsequently used as a memcpy length parameter).
+
+How about this?
+
+Signed-off-by: John W. Linville <[EMAIL PROTECTED]>
+Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
+---
+
+diff --git a/net/ieee80211/ieee80211_rx.c b/net/ieee80211/ieee80211_rx.c
+index f2de2e4..6284c99 100644
+--- a/net/ieee80211/ieee80211_rx.c
++++ b/net/ieee80211/ieee80211_rx.c
+@@ -366,6 +366,12 @@ int ieee80211_rx(struct ieee80211_device *ieee, struct 
sk_buff *skb,
+       frag = WLAN_GET_SEQ_FRAG(sc);
+       hdrlen = ieee80211_get_hdrlen(fc);
+ 
++      if (skb->len < hdrlen) {
++              printk(KERN_INFO "%s: invalid SKB length %d\n",
++                      dev->name, skb->len);
++              goto rx_dropped;
++      }
++
+       /* Put this code here so that we avoid duplicating it in all
+        * Rx paths. - Jean II */
+ #ifdef CONFIG_WIRELESS_EXT

Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch5
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch5 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch5 Sun Nov 11 
22:51:48 2007
@@ -1,3 +1,4 @@
 + bugfix/sysfs_readdir-NULL-deref-1.patch
 + bugfix/sysfs_readdir-NULL-deref-2.patch
 + bugfix/sysfs-fix-condition-check.patch
++ bugfix/ieee80211-underflow.patch

_______________________________________________
Kernel-svn-changes mailing list
Kernel-svn-changes@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

Reply via email to