CVE-2011-2517: kernel: nl80211: missing check for valid SSID size in scan operations
This commit is contained in:
parent
10aa0c1bf7
commit
5d1e28000d
|
@ -780,6 +780,9 @@ Patch12419: iwlagn-use-cts-to-self-protection-on-5000-adapters-series.patch
|
|||
|
||||
Patch12420: crypto-aesni_intel-merge-with-fpu_ko.patch
|
||||
|
||||
Patch12430: nl80211-fix-check-for-valid-ssid-size-in-scan-operations.patch
|
||||
Patch12431: nl80211-fix-overflow-in-ssid_len.patch.patch
|
||||
|
||||
%endif
|
||||
|
||||
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
||||
|
@ -1335,6 +1338,9 @@ ApplyPatch hda_intel-prealloc-4mb-dmabuffer.patch
|
|||
ApplyPatch bluetooth-device-ids-for-ath3k-on-pegatron-lucid-tablets.patch
|
||||
# CVE-2011-2497
|
||||
ApplyPatch bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
|
||||
# CVE-2011-2517
|
||||
ApplyPatch nl80211-fix-check-for-valid-ssid-size-in-scan-operations.patch
|
||||
ApplyPatch nl80211-fix-overflow-in-ssid_len.patch.patch
|
||||
|
||||
# Misc fixes
|
||||
# The input layer spews crap no-one cares about.
|
||||
|
@ -2073,6 +2079,7 @@ fi
|
|||
- Revert SCSI/block patches from 2.6.38.6 that caused more problems
|
||||
than they fixed; drop band-aid patch attempting to fix the fix.
|
||||
- CVE-2011-2497: kernel: bluetooth: buffer overflow in l2cap config request
|
||||
- CVE-2011-2517: kernel: nl80211: missing check for valid SSID size in scan operations
|
||||
|
||||
* Mon Jun 27 2011 Dave Jones <davej@redhat.com>
|
||||
- Disable CONFIG_CRYPTO_MANAGER_DISABLE_TESTS, as this also disables FIPS (rhbz 716942)
|
||||
|
|
|
@ -0,0 +1,42 @@
|
|||
From: Luciano Coelho <coelho@ti.com>
|
||||
Date: Wed, 18 May 2011 21:43:38 +0000 (+0300)
|
||||
Subject: nl80211: fix check for valid SSID size in scan operations
|
||||
X-Git-Tag: v3.0-rc2~7^2~16^2~12
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=208c72f4fe44fe09577e7975ba0e7fa0278f3d03
|
||||
|
||||
nl80211: fix check for valid SSID size in scan operations
|
||||
[ 2.6.38 backport ]
|
||||
|
||||
In both trigger_scan and sched_scan operations, we were checking for
|
||||
the SSID length before assigning the value correctly. Since the
|
||||
memory was just kzalloc'ed, the check was always failing and SSID with
|
||||
over 32 characters were allowed to go through.
|
||||
|
||||
This was causing a buffer overflow when copying the actual SSID to the
|
||||
proper place.
|
||||
|
||||
This bug has been there since 2.6.29-rc4.
|
||||
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Luciano Coelho <coelho@ti.com>
|
||||
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
||||
---
|
||||
|
||||
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
|
||||
index ec83f41..88a565f 100644
|
||||
--- a/net/wireless/nl80211.c
|
||||
+++ b/net/wireless/nl80211.c
|
||||
@@ -3406,12 +3406,12 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
|
||||
i = 0;
|
||||
if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
|
||||
nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
|
||||
+ request->ssids[i].ssid_len = nla_len(attr);
|
||||
if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
|
||||
err = -EINVAL;
|
||||
goto out_free;
|
||||
}
|
||||
memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
|
||||
- request->ssids[i].ssid_len = nla_len(attr);
|
||||
i++;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,44 @@
|
|||
From: Luciano Coelho <coelho@ti.com>
|
||||
Date: Tue, 7 Jun 2011 17:42:26 +0000 (+0300)
|
||||
Subject: nl80211: fix overflow in ssid_len
|
||||
X-Git-Tag: v3.0-rc4~5^2~13^2~6
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=57a27e1d6a3bb9ad4efeebd3a8c71156d6207536
|
||||
|
||||
nl80211: fix overflow in ssid_len
|
||||
[ 2.6.38 backport ]
|
||||
|
||||
When one of the SSID's length passed in a scan or sched_scan request
|
||||
is larger than 255, there will be an overflow in the u8 that is used
|
||||
to store the length before checking. This causes the check to fail
|
||||
and we overrun the buffer when copying the SSID.
|
||||
|
||||
Fix this by checking the nl80211 attribute length before copying it to
|
||||
the struct.
|
||||
|
||||
This is a follow up for the previous commit
|
||||
208c72f4fe44fe09577e7975ba0e7fa0278f3d03, which didn't fix the problem
|
||||
entirely.
|
||||
|
||||
Reported-by: Ido Yariv <ido@wizery.com>
|
||||
Signed-off-by: Luciano Coelho <coelho@ti.com>
|
||||
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
||||
---
|
||||
|
||||
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
|
||||
index 88a565f..98fa8eb 100644
|
||||
--- a/net/wireless/nl80211.c
|
||||
+++ b/net/wireless/nl80211.c
|
||||
@@ -3406,11 +3406,11 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
|
||||
i = 0;
|
||||
if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
|
||||
nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
|
||||
- request->ssids[i].ssid_len = nla_len(attr);
|
||||
- if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
|
||||
+ if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
|
||||
err = -EINVAL;
|
||||
goto out_free;
|
||||
}
|
||||
+ request->ssids[i].ssid_len = nla_len(attr);
|
||||
memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
|
||||
i++;
|
||||
}
|
Loading…
Reference in New Issue