Author: dannf Date: Sun Nov 11 22:51:48 2007 New Revision: 9707 Log: * bugfix/ieee80211-underflow.patch [SECURITY] Fix integer overflow in ieee80211 which makes it possible for a malicious frame to crash a system using a driver built on top of the Linux 802.11 wireless code. See CVE-2007-4997
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/ieee80211-underflow.patch Modified: dists/etch-security/linux-2.6/debian/changelog dists/etch-security/linux-2.6/debian/patches/series/13etch5 Modified: dists/etch-security/linux-2.6/debian/changelog ============================================================================== --- dists/etch-security/linux-2.6/debian/changelog (original) +++ dists/etch-security/linux-2.6/debian/changelog Sun Nov 11 22:51:48 2007 @@ -6,8 +6,13 @@ [SECURITY] Fix potential NULL pointer dereference which can lead to a local DoS (kernel oops) See CVE-2007-3104 + * bugfix/ieee80211-underflow.patch + [SECURITY] Fix integer overflow in ieee80211 which makes it possible + for a malicious frame to crash a system using a driver built on top of + the Linux 802.11 wireless code. + See CVE-2007-4997 - -- dann frazier <[EMAIL PROTECTED]> Wed, 07 Nov 2007 17:18:15 -0700 + -- dann frazier <[EMAIL PROTECTED]> Sun, 11 Nov 2007 15:46:51 -0700 linux-2.6 (2.6.18.dfsg.1-13etch4) stable-security; urgency=high Added: dists/etch-security/linux-2.6/debian/patches/bugfix/ieee80211-underflow.patch ============================================================================== --- (empty file) +++ dists/etch-security/linux-2.6/debian/patches/bugfix/ieee80211-underflow.patch Sun Nov 11 22:51:48 2007 @@ -0,0 +1,54 @@ +From: John W. Linville <[EMAIL PROTECTED]> +Date: Tue, 2 Oct 2007 04:03:54 +0000 (-0700) +Subject: [IEEE80211]: avoid integer underflow for runt rx frames +X-Git-Tag: kvm-47~34^2~42^2 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Favi%2Fkvm.git;a=commitdiff_plain;h=04045f98e0457aba7d4e6736f37eed189c48a5f7 + +[IEEE80211]: avoid integer underflow for runt rx frames + +Reported by Chris Evans <[EMAIL PROTECTED]>: + +> The summary is that an evil 80211 frame can crash out a victim's +> machine. It only applies to drivers using the 80211 wireless code, and +> only then to certain drivers (and even then depends on a card's +> firmware not dropping a dubious packet). I must confess I'm not +> keeping track of Linux wireless support, and the different protocol +> stacks etc. +> +> Details are as follows: +> +> ieee80211_rx() does not explicitly check that "skb->len >= hdrlen". +> There are other skb->len checks, but not enough to prevent a subtle +> off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag +> set. +> +> This leads to integer underflow and crash here: +> +> if (frag != 0) +> flen -= hdrlen; +> +> (flen is subsequently used as a memcpy length parameter). + +How about this? + +Signed-off-by: John W. Linville <[EMAIL PROTECTED]> +Signed-off-by: David S. Miller <[EMAIL PROTECTED]> +--- + +diff --git a/net/ieee80211/ieee80211_rx.c b/net/ieee80211/ieee80211_rx.c +index f2de2e4..6284c99 100644 +--- a/net/ieee80211/ieee80211_rx.c ++++ b/net/ieee80211/ieee80211_rx.c +@@ -366,6 +366,12 @@ int ieee80211_rx(struct ieee80211_device *ieee, struct sk_buff *skb, + frag = WLAN_GET_SEQ_FRAG(sc); + hdrlen = ieee80211_get_hdrlen(fc); + ++ if (skb->len < hdrlen) { ++ printk(KERN_INFO "%s: invalid SKB length %d\n", ++ dev->name, skb->len); ++ goto rx_dropped; ++ } ++ + /* Put this code here so that we avoid duplicating it in all + * Rx paths. - Jean II */ + #ifdef CONFIG_WIRELESS_EXT Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch5 ============================================================================== --- dists/etch-security/linux-2.6/debian/patches/series/13etch5 (original) +++ dists/etch-security/linux-2.6/debian/patches/series/13etch5 Sun Nov 11 22:51:48 2007 @@ -1,3 +1,4 @@ + bugfix/sysfs_readdir-NULL-deref-1.patch + bugfix/sysfs_readdir-NULL-deref-2.patch + bugfix/sysfs-fix-condition-check.patch ++ bugfix/ieee80211-underflow.patch _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes