[kernel] r17916 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Aug 12 01:56:49 UTC 2011
Author: dannf
Date: Fri Aug 12 01:56:48 2011
New Revision: 17916
Log:
nl80211: fix check for valid SSID size in scan operations
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nl80211-fix-check-for-valid-SSID-size-in-scan-operations.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nl80211-fix-overflow-in-ssid_len.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Fri Aug 12 01:38:30 2011 (r17915)
+++ dists/squeeze-security/linux-2.6/debian/changelog Fri Aug 12 01:56:48 2011 (r17916)
@@ -9,6 +9,7 @@
* proc: restrict access to /proc/PID/io (CVE-2011-2495)
* vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)
* Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)
+ * nl80211: fix check for valid SSID size in scan operations
[ Moritz Muehlenhoff ]
* si4713-i2c: avoid potential buffer overflow on si4713 (CVE-2011-2700)
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nl80211-fix-check-for-valid-SSID-size-in-scan-operations.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nl80211-fix-check-for-valid-SSID-size-in-scan-operations.patch Fri Aug 12 01:56:48 2011 (r17916)
@@ -0,0 +1,39 @@
+commit 208c72f4fe44fe09577e7975ba0e7fa0278f3d03
+Author: Luciano Coelho <coelho at ti.com>
+Date: Thu May 19 00:43:38 2011 +0300
+
+ nl80211: fix check for valid SSID size in scan operations
+
+ In both trigger_scan and sched_scan operations, we were checking for
+ the SSID length before assigning the value correctly. Since the
+ memory was just kzalloc'ed, the check was always failing and SSID with
+ over 32 characters were allowed to go through.
+
+ This was causing a buffer overflow when copying the actual SSID to the
+ proper place.
+
+ This bug has been there since 2.6.29-rc4.
+
+ Cc: stable at kernel.org
+ Signed-off-by: Luciano Coelho <coelho at ti.com>
+ Signed-off-by: John W. Linville <linville at tuxdriver.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index b75e718..f0341e4 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -2995,12 +2995,12 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
+ i = 0;
+ if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
+ nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
++ request->ssids[i].ssid_len = nla_len(attr);
+ if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
+ err = -EINVAL;
+ goto out_free;
+ }
+ memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
+- request->ssids[i].ssid_len = nla_len(attr);
+ i++;
+ }
+ }
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nl80211-fix-overflow-in-ssid_len.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/nl80211-fix-overflow-in-ssid_len.patch Fri Aug 12 01:56:48 2011 (r17916)
@@ -0,0 +1,41 @@
+commit 57a27e1d6a3bb9ad4efeebd3a8c71156d6207536
+Author: Luciano Coelho <coelho at ti.com>
+Date: Tue Jun 7 20:42:26 2011 +0300
+
+ nl80211: fix overflow in ssid_len
+
+ When one of the SSID's length passed in a scan or sched_scan request
+ is larger than 255, there will be an overflow in the u8 that is used
+ to store the length before checking. This causes the check to fail
+ and we overrun the buffer when copying the SSID.
+
+ Fix this by checking the nl80211 attribute length before copying it to
+ the struct.
+
+ This is a follow up for the previous commit
+ 208c72f4fe44fe09577e7975ba0e7fa0278f3d03, which didn't fix the problem
+ entirely.
+
+ Reported-by: Ido Yariv <ido at wizery.com>
+ Signed-off-by: Luciano Coelho <coelho at ti.com>
+ Signed-off-by: John W. Linville <linville at tuxdriver.com>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index f0341e4..f72387f 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -2995,11 +2995,11 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
+ i = 0;
+ if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
+ nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
+- request->ssids[i].ssid_len = nla_len(attr);
+- if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
++ if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
+ err = -EINVAL;
+ goto out_free;
+ }
++ request->ssids[i].ssid_len = nla_len(attr);
+ memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
+ i++;
+ }
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1 Fri Aug 12 01:38:30 2011 (r17915)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1 Fri Aug 12 01:56:48 2011 (r17916)
@@ -9,3 +9,5 @@
+ bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
+ bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
+ bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
++ bugfix/all/nl80211-fix-check-for-valid-SSID-size-in-scan-operations.patch
++ bugfix/all/nl80211-fix-overflow-in-ssid_len.patch
More information about the Kernel-svn-changes
mailing list