diff options
author | nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2008-10-11 01:33:09 +0000 |
---|---|---|
committer | nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2008-10-11 01:33:09 +0000 |
commit | 090f16f6fb1019af891be04e2da176f6feb65cc9 (patch) | |
tree | 1fafd2be3f6989795ec69425f3dabbade11138b2 /package/mac80211/patches/415-mac80211-fix-exploit.patch | |
parent | 042b8de61d833ef841b2ccf4d39f673aecaacd3a (diff) |
mac80211: add rate control rewrite and enhance the performance of the minstrel algorithm for non-mrr configurations
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12948 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'package/mac80211/patches/415-mac80211-fix-exploit.patch')
-rw-r--r-- | package/mac80211/patches/415-mac80211-fix-exploit.patch | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/package/mac80211/patches/415-mac80211-fix-exploit.patch b/package/mac80211/patches/415-mac80211-fix-exploit.patch new file mode 100644 index 0000000000..114c94390b --- /dev/null +++ b/package/mac80211/patches/415-mac80211-fix-exploit.patch @@ -0,0 +1,77 @@ +Subject: mac80211: fix HT information element parsing + +There's no checking that the HT IEs are of the right length +which can be used by an attacker to cause an out-of-bounds +access by sending a too short HT information/capability IE. +Fix it by simply pretending those IEs didn't exist when too +short. + +Signed-off-by: Johannes Berg <johannes@sipsolutions.net> +--- + net/mac80211/ieee80211_i.h | 6 ++---- + net/mac80211/mlme.c | 3 --- + net/mac80211/util.c | 8 ++++---- + 3 files changed, 6 insertions(+), 11 deletions(-) + +--- everything.orig/net/mac80211/ieee80211_i.h 2008-10-07 20:05:26.000000000 +0200 ++++ everything/net/mac80211/ieee80211_i.h 2008-10-07 20:06:45.000000000 +0200 +@@ -816,8 +816,8 @@ struct ieee802_11_elems { + u8 *ext_supp_rates; + u8 *wmm_info; + u8 *wmm_param; +- u8 *ht_cap_elem; +- u8 *ht_info_elem; ++ struct ieee80211_ht_cap *ht_cap_elem; ++ struct ieee80211_ht_addt_info *ht_info_elem; + u8 *mesh_config; + u8 *mesh_id; + u8 *peer_link; +@@ -844,8 +844,6 @@ struct ieee802_11_elems { + u8 ext_supp_rates_len; + u8 wmm_info_len; + u8 wmm_param_len; +- u8 ht_cap_elem_len; +- u8 ht_info_elem_len; + u8 mesh_config_len; + u8 mesh_id_len; + u8 peer_link_len; +--- everything.orig/net/mac80211/mlme.c 2008-10-07 20:06:44.000000000 +0200 ++++ everything/net/mac80211/mlme.c 2008-10-07 20:06:45.000000000 +0200 +@@ -1349,10 +1349,8 @@ static void ieee80211_rx_mgmt_assoc_resp + (ifsta->flags & IEEE80211_STA_WMM_ENABLED)) { + struct ieee80211_ht_bss_info bss_info; + ieee80211_ht_cap_ie_to_ht_info( +- (struct ieee80211_ht_cap *) + elems.ht_cap_elem, &sta->sta.ht_info); + ieee80211_ht_addt_info_ie_to_ht_bss_info( +- (struct ieee80211_ht_addt_info *) + elems.ht_info_elem, &bss_info); + ieee80211_handle_ht(local, 1, &sta->sta.ht_info, &bss_info); + } +@@ -1715,7 +1713,6 @@ static void ieee80211_rx_mgmt_beacon(str + struct ieee80211_ht_bss_info bss_info; + + ieee80211_ht_addt_info_ie_to_ht_bss_info( +- (struct ieee80211_ht_addt_info *) + elems.ht_info_elem, &bss_info); + changed |= ieee80211_handle_ht(local, 1, &conf->ht_conf, + &bss_info); +--- everything.orig/net/mac80211/util.c 2008-10-07 20:06:43.000000000 +0200 ++++ everything/net/mac80211/util.c 2008-10-07 20:06:45.000000000 +0200 +@@ -529,12 +529,12 @@ void ieee802_11_parse_elems(u8 *start, s + elems->ext_supp_rates_len = elen; + break; + case WLAN_EID_HT_CAPABILITY: +- elems->ht_cap_elem = pos; +- elems->ht_cap_elem_len = elen; ++ if (elen >= sizeof(struct ieee80211_ht_cap)) ++ elems->ht_cap_elem = (void *)pos; + break; + case WLAN_EID_HT_EXTRA_INFO: +- elems->ht_info_elem = pos; +- elems->ht_info_elem_len = elen; ++ if (elen >= sizeof(struct ieee80211_ht_addt_info)) ++ elems->ht_info_elem = (void *)pos; + break; + case WLAN_EID_MESH_ID: + elems->mesh_id = pos; |