CVE-2011-2517: nl80211: missing check for valid SSID size in scan operations
This commit is contained in:
parent
f77745ccf7
commit
8ba25ec095
|
@ -48,7 +48,7 @@ Summary: The Linux kernel
|
|||
# reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
|
||||
# scripts/rebase.sh should be made to do that for you, actually.
|
||||
#
|
||||
%global baserelease 94
|
||||
%global baserelease 95
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -842,6 +842,8 @@ Patch14010: perf-tools-do-not-look-at-config-for-configuration.patch
|
|||
Patch14011: ext4-fix-max-file-size-and-logical-block-counting-of-extent-format-file.patch
|
||||
# CVE-2011-2497
|
||||
Patch14012: bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
|
||||
# CVE-2011-2517
|
||||
Patch14013: nl80211-fix-overflow-in-ssid_len.patch.patch
|
||||
|
||||
%endif
|
||||
|
||||
|
@ -1584,6 +1586,8 @@ ApplyPatch perf-tools-do-not-look-at-config-for-configuration.patch
|
|||
ApplyPatch ext4-fix-max-file-size-and-logical-block-counting-of-extent-format-file.patch
|
||||
# CVE-2011-2497
|
||||
ApplyPatch bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
|
||||
# CVE-2011-2517
|
||||
ApplyPatch nl80211-fix-overflow-in-ssid_len.patch.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
|
@ -2171,10 +2175,11 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Mon Aug 15 2011 Chuck Ebbert <cebbert@redhat.com>
|
||||
* Mon Aug 15 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.35.14-95
|
||||
- CVE-2011-2905: perf tools: may parse user-controlled configuration file
|
||||
- CVE-2011-2695: ext4: kernel panic when writing data to the last block of sparse file
|
||||
- CVE-2011-2497: bluetooth: buffer overflow in l2cap config request
|
||||
- CVE-2011-2517: nl80211: missing check for valid SSID size in scan operations
|
||||
|
||||
* Wed Aug 03 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.35.14-94
|
||||
- Linux 2.6.35.14
|
||||
|
|
|
@ -0,0 +1,44 @@
|
|||
From: Luciano Coelho <coelho@ti.com>
|
||||
Date: Tue, 7 Jun 2011 17:42:26 +0000 (+0300)
|
||||
Subject: nl80211: fix overflow in ssid_len
|
||||
X-Git-Tag: v3.0-rc4~5^2~13^2~6
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=57a27e1d6a3bb9ad4efeebd3a8c71156d6207536
|
||||
|
||||
nl80211: fix overflow in ssid_len
|
||||
[ 2.6.35 backport ]
|
||||
|
||||
When one of the SSID's length passed in a scan or sched_scan request
|
||||
is larger than 255, there will be an overflow in the u8 that is used
|
||||
to store the length before checking. This causes the check to fail
|
||||
and we overrun the buffer when copying the SSID.
|
||||
|
||||
Fix this by checking the nl80211 attribute length before copying it to
|
||||
the struct.
|
||||
|
||||
This is a follow up for the previous commit
|
||||
208c72f4fe44fe09577e7975ba0e7fa0278f3d03, which didn't fix the problem
|
||||
entirely.
|
||||
|
||||
Reported-by: Ido Yariv <ido@wizery.com>
|
||||
Signed-off-by: Luciano Coelho <coelho@ti.com>
|
||||
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
||||
---
|
||||
|
||||
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
|
||||
index 88a565f..98fa8eb 100644
|
||||
--- a/net/wireless/nl80211.c
|
||||
+++ b/net/wireless/nl80211.c
|
||||
@@ -3179,11 +3179,11 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
|
||||
i = 0;
|
||||
if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
|
||||
nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
|
||||
- request->ssids[i].ssid_len = nla_len(attr);
|
||||
- if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
|
||||
+ if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
|
||||
err = -EINVAL;
|
||||
goto out_free;
|
||||
}
|
||||
+ request->ssids[i].ssid_len = nla_len(attr);
|
||||
memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
|
||||
i++;
|
||||
}
|
Loading…
Reference in New Issue