r266 - in /unstable/madwifi/debian: changelog patches/00list patches/01_secfix-0.9.3-sizecheck-take3.dpatch patches/02_secfix-0.9.3-wmmparams-take2.dpatch patches/03_secfix-0.9.3-beacon_interval_range.dpatch
kelmo-guest at users.alioth.debian.org
kelmo-guest at users.alioth.debian.org
Tue May 22 11:52:15 UTC 2007
Author: kelmo-guest
Date: Tue May 22 11:52:15 2007
New Revision: 266
URL: http://svn.debian.org/wsvn/pkg-madwifi/?sc=1&rev=266
Log:
* Add debian/patches/01_secfix-0.9.3-sizecheck-take3.dpatch to address Fast
Frame parsing remote kernel DoS exploit.
* Add debian/patches/02_secfix-0.9.3-wmmparams-take2.dpatch to fix
ieee80211_ioctl_getwmmparams local kernel DoS exploit.
* Add debian/patches/03_secfix-0.9.3-beacon_interval_range.dpatch to reject
invalid beacons and avoid unwanted situations possibly allowing local or
remote exploit.
Added:
unstable/madwifi/debian/patches/01_secfix-0.9.3-sizecheck-take3.dpatch
unstable/madwifi/debian/patches/02_secfix-0.9.3-wmmparams-take2.dpatch
unstable/madwifi/debian/patches/03_secfix-0.9.3-beacon_interval_range.dpatch
Modified:
unstable/madwifi/debian/changelog
unstable/madwifi/debian/patches/00list
Modified: unstable/madwifi/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-madwifi/unstable/madwifi/debian/changelog?rev=266&op=diff
==============================================================================
--- unstable/madwifi/debian/changelog (original)
+++ unstable/madwifi/debian/changelog Tue May 22 11:52:15 2007
@@ -1,3 +1,15 @@
+madwifi (1:0.9.3-2) unstable; urgency=low
+
+ * Add debian/patches/01_secfix-0.9.3-sizecheck-take3.dpatch to address Fast
+ Frame parsing remote kernel DoS exploit.
+ * Add debian/patches/02_secfix-0.9.3-wmmparams-take2.dpatch to fix
+ ieee80211_ioctl_getwmmparams local kernel DoS exploit.
+ * Add debian/patches/03_secfix-0.9.3-beacon_interval_range.dpatch to reject
+ invalid beacons and avoid unwanted situations possibly allowing local or
+ remote exploit.
+
+ -- Kel Modderman <kel at otaku42.de> Tue, 22 May 2007 21:47:38 +1000
+
madwifi (1:0.9.3-1) unstable; urgency=low
* New upstream release. (Closes: #416922, #416837)
Modified: unstable/madwifi/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-madwifi/unstable/madwifi/debian/patches/00list?rev=266&op=diff
==============================================================================
--- unstable/madwifi/debian/patches/00list (original)
+++ unstable/madwifi/debian/patches/00list Tue May 22 11:52:15 2007
@@ -1,1 +1,3 @@
-
+01_secfix-0.9.3-sizecheck-take3
+02_secfix-0.9.3-wmmparams-take2
+03_secfix-0.9.3-beacon_interval_range
Added: unstable/madwifi/debian/patches/01_secfix-0.9.3-sizecheck-take3.dpatch
URL: http://svn.debian.org/wsvn/pkg-madwifi/unstable/madwifi/debian/patches/01_secfix-0.9.3-sizecheck-take3.dpatch?rev=266&op=file
==============================================================================
--- unstable/madwifi/debian/patches/01_secfix-0.9.3-sizecheck-take3.dpatch (added)
+++ unstable/madwifi/debian/patches/01_secfix-0.9.3-sizecheck-take3.dpatch Tue May 22 11:52:15 2007
@@ -1,0 +1,69 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## secfix-0.9.3-sizecheck-take3.patch by Kel Modderman <kel at otaku42.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fast Frame parsing remote kernel DoS fix
+
+ at DPATCH@
+diff -Nrup madwifi-0.9.3.orig/net80211/ieee80211_input.c madwifi-0.9.3/net80211/ieee80211_input.c
+--- madwifi-0.9.3.orig/net80211/ieee80211_input.c 2007-02-03 06:01:51.000000000 +1000
++++ madwifi-0.9.3/net80211/ieee80211_input.c 2007-05-22 21:10:55.000000000 +1000
+@@ -693,13 +693,31 @@ ieee80211_input(struct ieee80211_node *n
+
+ /* NB: assumes linear (i.e., non-fragmented) skb */
+
++ /* check length > header */
++ if (skb->len < sizeof(struct ether_header) + LLC_SNAPFRAMELEN
++ + roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2) {
++ IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
++ ni->ni_macaddr, "data", "%s", "decap error");
++ vap->iv_stats.is_rx_decap++;
++ IEEE80211_NODE_STAT(ni, rx_decap);
++ goto err;
++ }
++
+ /* get to the tunneled headers */
+ ath_hdr = (struct athl2p_tunnel_hdr *)
+ skb_pull(skb, sizeof(struct ether_header) + LLC_SNAPFRAMELEN);
+- /* ignore invalid frames */
+- if(ath_hdr == NULL)
++ eh_tmp = (struct ether_header *)
++ skb_pull(skb, roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2);
++ /* sanity check for malformed 802.3 length */
++ frame_len = ntohs(eh_tmp->ether_type);
++ if (skb->len < roundup(sizeof(struct ether_header) + frame_len, 4)) {
++ IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
++ ni->ni_macaddr, "data", "%s", "decap error");
++ vap->iv_stats.is_rx_decap++;
++ IEEE80211_NODE_STAT(ni, rx_decap);
+ goto err;
+-
++ }
++
+ /* only implementing FF now. drop all others. */
+ if (ath_hdr->proto != ATH_L2TUNNEL_PROTO_FF) {
+ IEEE80211_DISCARD_MAC(vap,
+@@ -712,14 +730,7 @@ ieee80211_input(struct ieee80211_node *n
+ }
+ vap->iv_stats.is_rx_ffcnt++;
+
+- /* move past the tunneled header, with alignment */
+- skb_pull(skb, roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2);
+-
+ skb1 = skb_clone(skb, GFP_ATOMIC); /* XXX: GFP_ATOMIC is overkill? */
+- eh_tmp = (struct ether_header *)skb->data;
+-
+- /* ether_type must be length*/
+- frame_len = ntohs(eh_tmp->ether_type);
+
+ /* we now have 802.3 MAC hdr followed by 802.2 LLC/SNAP. convert to DIX */
+ athff_decap(skb);
+@@ -729,8 +740,6 @@ ieee80211_input(struct ieee80211_node *n
+
+ /* prepare second tunneled frame */
+ skb_pull(skb1, roundup(sizeof(struct ether_header) + frame_len, 4));
+- eh_tmp = (struct ether_header *)skb1->data;
+- frame_len = ntohs(eh_tmp->ether_type);
+ athff_decap(skb1);
+
+ /* deliver the frames */
Added: unstable/madwifi/debian/patches/02_secfix-0.9.3-wmmparams-take2.dpatch
URL: http://svn.debian.org/wsvn/pkg-madwifi/unstable/madwifi/debian/patches/02_secfix-0.9.3-wmmparams-take2.dpatch?rev=266&op=file
==============================================================================
--- unstable/madwifi/debian/patches/02_secfix-0.9.3-wmmparams-take2.dpatch (added)
+++ unstable/madwifi/debian/patches/02_secfix-0.9.3-wmmparams-take2.dpatch Tue May 22 11:52:15 2007
@@ -1,0 +1,30 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## secfix-0.9.3-wmmparams-take2.patch by Kel Modderman <kel at otaku42.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: ieee80211_ioctl_getwmmparams local kernel DoS
+
+ at DPATCH@
+diff -Nrup madwifi-0.9.3.orig/net80211/ieee80211_wireless.c madwifi-0.9.3/net80211/ieee80211_wireless.c
+--- madwifi-0.9.3.orig/net80211/ieee80211_wireless.c 2007-02-12 15:25:25.000000000 +1000
++++ madwifi-0.9.3/net80211/ieee80211_wireless.c 2007-05-22 21:12:07.000000000 +1000
+@@ -3621,7 +3621,8 @@ ieee80211_ioctl_setwmmparams(struct net_
+ {
+ struct ieee80211vap *vap = dev->priv;
+ int *param = (int *) extra;
+- int ac = (param[1] < WME_NUM_AC) ? param[1] : WME_AC_BE;
++ int ac = (param[1] >= 0 && param[1] < WME_NUM_AC) ?
++ param[1] : WME_AC_BE;
+ int bss = param[2];
+ struct ieee80211_wme_state *wme = &vap->iv_ic->ic_wme;
+
+@@ -3709,7 +3710,8 @@ ieee80211_ioctl_getwmmparams(struct net_
+ {
+ struct ieee80211vap *vap = dev->priv;
+ int *param = (int *) extra;
+- int ac = (param[1] < WME_NUM_AC) ? param[1] : WME_AC_BE;
++ int ac = (param[1] >= 0 && param[1] < WME_NUM_AC) ?
++ param[1] : WME_AC_BE;
+ struct ieee80211_wme_state *wme = &vap->iv_ic->ic_wme;
+ struct chanAccParams *chanParams = (param[2] == 0) ?
+ &(wme->wme_chanParams) : &(wme->wme_bssChanParams);
Added: unstable/madwifi/debian/patches/03_secfix-0.9.3-beacon_interval_range.dpatch
URL: http://svn.debian.org/wsvn/pkg-madwifi/unstable/madwifi/debian/patches/03_secfix-0.9.3-beacon_interval_range.dpatch?rev=266&op=file
==============================================================================
--- unstable/madwifi/debian/patches/03_secfix-0.9.3-beacon_interval_range.dpatch (added)
+++ unstable/madwifi/debian/patches/03_secfix-0.9.3-beacon_interval_range.dpatch Tue May 22 11:52:15 2007
@@ -1,0 +1,181 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## beacon_interval_range_plus_iw_power_cleanup.patch by Kel Modderman <kel at otaku42.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: reject invalid local and remote beacons
+## DP: http://madwifi.org/changeset/2348
+## DP: while there, clean up IW POWER handling
+## DP: http://madwifi.org/changeset/2272
+
+ at DPATCH@
+diff -Nrup madwifi-0.9.3.orig/net80211/ieee80211_input.c madwifi-0.9.3/net80211/ieee80211_input.c
+--- madwifi-0.9.3.orig/net80211/ieee80211_input.c 2007-02-03 06:01:51.000000000 +1000
++++ madwifi-0.9.3/net80211/ieee80211_input.c 2007-05-22 21:30:35.000000000 +1000
+@@ -2733,7 +2733,20 @@ ieee80211_recv_mgmt(struct ieee80211_nod
+ vap->iv_stats.is_rx_chanmismatch++;
+ return;
+ }
+-
++
++ /* IEEE802.11 does not specify the allowed range for
++ * beacon interval. We discard any beacons with a
++ * beacon interval outside of an arbitrary range in
++ * order to protect against attack.
++ */
++ if (!(IEEE80211_BINTVAL_MIN <= scan.bintval &&
++ scan.bintval <= IEEE80211_BINTVAL_MAX)) {
++ IEEE80211_DISCARD(vap, IEEE80211_MSG_SCAN,
++ wh, "beacon", "invalid beacon interval (%u)",
++ scan.bintval);
++ return;
++ }
++
+ /*
+ * Count frame now that we know it's to be processed.
+ */
+@@ -2861,7 +2874,7 @@ ieee80211_recv_mgmt(struct ieee80211_nod
+ IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
+ memcpy(ni->ni_tstamp.data, scan.tstamp,
+ sizeof(ni->ni_tstamp));
+- ni->ni_intval = scan.bintval;
++ ni->ni_intval = IEEE80211_BINTVAL_SANITISE(scan.bintval);
+ ni->ni_capinfo = scan.capinfo;
+ ni->ni_chan = ic->ic_curchan;
+ ni->ni_fhdwell = scan.fhdwell;
+@@ -3285,7 +3298,7 @@ ieee80211_recv_mgmt(struct ieee80211_nod
+ ni->ni_rssi = rssi;
+ ni->ni_rstamp = rstamp;
+ ni->ni_last_rx = jiffies;
+- ni->ni_intval = bintval;
++ ni->ni_intval = IEEE80211_BINTVAL_SANITISE(bintval);
+ ni->ni_capinfo = capinfo;
+ ni->ni_chan = ic->ic_curchan;
+ ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
+diff -Nrup madwifi-0.9.3.orig/net80211/ieee80211_node.c madwifi-0.9.3/net80211/ieee80211_node.c
+--- madwifi-0.9.3.orig/net80211/ieee80211_node.c 2007-02-07 01:33:38.000000000 +1000
++++ madwifi-0.9.3/net80211/ieee80211_node.c 2007-05-22 21:30:35.000000000 +1000
+@@ -664,7 +664,7 @@ ieee80211_sta_join(struct ieee80211vap *
+ memcpy(ni->ni_essid, se->se_ssid + 2, ni->ni_esslen);
+ ni->ni_rstamp = se->se_rstamp;
+ ni->ni_tstamp.tsf = se->se_tstamp.tsf;
+- ni->ni_intval = se->se_intval;
++ ni->ni_intval = IEEE80211_BINTVAL_SANITISE(se->se_intval);
+ ni->ni_capinfo = se->se_capinfo;
+ ni->ni_chan = se->se_chan;
+ ni->ni_timoff = se->se_timoff;
+@@ -1216,7 +1216,7 @@ ieee80211_add_neighbor(struct ieee80211v
+ memcpy(ni->ni_essid, sp->ssid + 2, sp->ssid[1]);
+ IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
+ memcpy(ni->ni_tstamp.data, sp->tstamp, sizeof(ni->ni_tstamp));
+- ni->ni_intval = sp->bintval;
++ ni->ni_intval = IEEE80211_BINTVAL_SANITISE(sp->bintval);
+ ni->ni_capinfo = sp->capinfo;
+ ni->ni_chan = ic->ic_curchan;
+ ni->ni_fhdwell = sp->fhdwell;
+diff -Nrup madwifi-0.9.3.orig/net80211/ieee80211_scan.h madwifi-0.9.3/net80211/ieee80211_scan.h
+--- madwifi-0.9.3.orig/net80211/ieee80211_scan.h 2007-01-30 14:57:52.000000000 +1000
++++ madwifi-0.9.3/net80211/ieee80211_scan.h 2007-05-22 21:30:35.000000000 +1000
+@@ -130,7 +130,7 @@ struct ieee80211_scanparams {
+ u_int8_t bchan;
+ u_int8_t fhindex;
+ u_int8_t erp;
+- u_int8_t bintval;
++ u_int16_t bintval;
+ u_int8_t timoff;
+ u_int8_t *tim;
+ u_int8_t *tstamp;
+diff -Nrup madwifi-0.9.3.orig/net80211/ieee80211_var.h madwifi-0.9.3/net80211/ieee80211_var.h
+--- madwifi-0.9.3.orig/net80211/ieee80211_var.h 2007-01-22 13:07:30.000000000 +1000
++++ madwifi-0.9.3/net80211/ieee80211_var.h 2007-05-22 21:30:35.000000000 +1000
+@@ -60,9 +60,15 @@
+ #define IEEE80211_DTIM_MIN 1 /* min DTIM period */
+ #define IEEE80211_DTIM_DEFAULT 1 /* default DTIM period */
+
+-#define IEEE80211_BINTVAL_MAX 500 /* max beacon interval (TU's) */
++#define IEEE80211_BINTVAL_MAX 1000 /* max beacon interval (TU's) */
+ #define IEEE80211_BINTVAL_MIN 25 /* min beacon interval (TU's) */
+ #define IEEE80211_BINTVAL_DEFAULT 100 /* default beacon interval (TU's) */
++#define IEEE80211_BINTVAL_VALID(_bi) \
++ ((IEEE80211_BINTVAL_MIN <= (_bi)) && \
++ ((_bi) <= IEEE80211_BINTVAL_MAX))
++#define IEEE80211_BINTVAL_SANITISE(_bi) \
++ (IEEE80211_BINTVAL_VALID(_bi) ? \
++ (_bi) : IEEE80211_BINTVAL_DEFAULT)
+
+ #define IEEE80211_BGSCAN_INTVAL_MIN 15 /* min bg scan intvl (secs) */
+ #define IEEE80211_BGSCAN_INTVAL_DEFAULT (5*60) /* default bg scan intvl */
+diff -Nrup madwifi-0.9.3.orig/net80211/ieee80211_wireless.c madwifi-0.9.3/net80211/ieee80211_wireless.c
+--- madwifi-0.9.3.orig/net80211/ieee80211_wireless.c 2007-02-12 15:25:25.000000000 +1000
++++ madwifi-0.9.3/net80211/ieee80211_wireless.c 2007-05-22 21:30:35.000000000 +1000
+@@ -1255,35 +1255,37 @@ ieee80211_ioctl_siwpower(struct net_devi
+ {
+ struct ieee80211vap *vap = dev->priv;
+ struct ieee80211com *ic = vap->iv_ic;
++
++ /* XXX: These values, flags, and caps do not seem to be used elsewhere
++ * at all? */
+
++ if ((ic->ic_caps & IEEE80211_C_PMGT) == 0)
++ return -EOPNOTSUPP;
++
+ if (wrq->disabled) {
+- if (ic->ic_flags & IEEE80211_F_PMGTON) {
++ if (ic->ic_flags & IEEE80211_F_PMGTON)
+ ic->ic_flags &= ~IEEE80211_F_PMGTON;
+- goto done;
++ } else {
++ switch (wrq->flags & IW_POWER_MODE) {
++ case IW_POWER_UNICAST_R:
++ case IW_POWER_ALL_R:
++ case IW_POWER_ON:
++ if (wrq->flags & IW_POWER_PERIOD) {
++ if (IEEE80211_BINTVAL_VALID(wrq->value))
++ ic->ic_lintval = IEEE80211_MS_TO_TU(wrq->value);
++ else
++ return -EINVAL;
++ }
++ if (wrq->flags & IW_POWER_TIMEOUT)
++ ic->ic_holdover = IEEE80211_MS_TO_TU(wrq->value);
++
++ ic->ic_flags |= IEEE80211_F_PMGTON;
++ break;
++ default:
++ return -EINVAL;
+ }
+- return 0;
+- }
+-
+- if ((ic->ic_caps & IEEE80211_C_PMGT) == 0)
+- return -EOPNOTSUPP;
+- switch (wrq->flags & IW_POWER_MODE) {
+- case IW_POWER_UNICAST_R:
+- case IW_POWER_ALL_R:
+- case IW_POWER_ON:
+- ic->ic_flags |= IEEE80211_F_PMGTON;
+- break;
+- default:
+- return -EINVAL;
+ }
+- if (wrq->flags & IW_POWER_TIMEOUT) {
+- ic->ic_holdover = IEEE80211_MS_TO_TU(wrq->value);
+- ic->ic_flags |= IEEE80211_F_PMGTON;
+- }
+- if (wrq->flags & IW_POWER_PERIOD) {
+- ic->ic_lintval = IEEE80211_MS_TO_TU(wrq->value);
+- ic->ic_flags |= IEEE80211_F_PMGTON;
+- }
+-done:
++
+ return IS_UP(ic->ic_dev) ? ic->ic_reset(ic->ic_dev) : 0;
+ }
+
+@@ -2366,8 +2368,7 @@ ieee80211_ioctl_setparam(struct net_devi
+ if (vap->iv_opmode != IEEE80211_M_HOSTAP &&
+ vap->iv_opmode != IEEE80211_M_IBSS)
+ return -EINVAL;
+- if (IEEE80211_BINTVAL_MIN <= value &&
+- value <= IEEE80211_BINTVAL_MAX) {
++ if (IEEE80211_BINTVAL_VALID(value)) {
+ ic->ic_lintval = value; /* XXX multi-bss */
+ retv = ENETRESET; /* requires restart */
+ } else
More information about the Pkg-madwifi-maintainers
mailing list