From: Anton Arapov <aarapov@redhat.com>
Subject: [RHEL5.2 PATCH] BZ346401: CVE-2007-4997 kernel ieee80211 off-by-two integer underflow
Date: Tue, 23 Oct 2007 13:25:15 +0200
Bugzilla: 346401
Message-Id: <m3sl422hus.fsf@bandura.englab.brq.redhat.com>
Changelog: [net] ieee80211: off-by-two integer underflow
BZ#346401:
https://bugzilla.redhat.com/show_bug.cgi?id=346401
Descriprion: (upstream patch quote)
ieee80211_rx() does not explicitly check that "skb->len >=
hdrlen". There are other skb->len checks, but not enough to prevent a
subtle off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA
flag set.
This leads to integer underflow and crash here:
if (frag != 0)
flen -= hdrlen;
Upstream status:
commit# 04045f98e0457aba7d4e6736f37eed189c48a5f7
[IEEE80211]: avoid integer underflow for runt rx frames
Test status:
has been tested for comilation and boot.
Notice:
BZ#346381 - clone of this bug for rhel 4.7
==
diff -urpN linux-2.6.18.noarch.orig/net/ieee80211/ieee80211_rx.c linux-2.6.18.noarch/net/ieee80211/ieee80211_rx.c
--- linux-2.6.18.noarch.orig/net/ieee80211/ieee80211_rx.c 2007-10-23 10:13:47.000000000 +0200
+++ linux-2.6.18.noarch/net/ieee80211/ieee80211_rx.c 2007-10-23 10:14:07.000000000 +0200
@@ -366,6 +366,12 @@ int ieee80211_rx(struct ieee80211_device
frag = WLAN_GET_SEQ_FRAG(sc);
hdrlen = ieee80211_get_hdrlen(fc);
+ if (skb->len < hdrlen) {
+ printk(KERN_INFO "%s: invalid SKB length %d\n",
+ dev->name, skb->len);
+ goto rx_dropped;
+ }
+
/* Put this code here so that we avoid duplicating it in all
* Rx paths. - Jean II */
#ifdef CONFIG_WIRELESS_EXT
--
Anton Arapov, <aarapov@redhat.com>
GPG Key ID: 0x6FA8C812
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
27922b4260f65d317aabda37e42bbbff
>
files
>
2691
