From patchwork Thu Jan 9 12:03:18 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Henriques X-Patchwork-Id: 308666 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 9C6FD2C00BD for ; Thu, 9 Jan 2014 23:05:14 +1100 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1W1EMI-0004SF-65; Thu, 09 Jan 2014 12:05:10 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1W1EKV-0003Ll-Fm for kernel-team@lists.ubuntu.com; Thu, 09 Jan 2014 12:03:19 +0000 Received: from bl20-130-143.dsl.telepac.pt ([2.81.130.143] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1W1EKV-0001I5-8a; Thu, 09 Jan 2014 12:03:19 +0000 From: Luis Henriques To: Johannes Berg Subject: [3.11.y.z extended stable] Patch "radiotap: fix bitmap-end-finding buffer overrun" has been added to staging queue Date: Thu, 9 Jan 2014 12:03:18 +0000 Message-Id: <1389268998-29549-1-git-send-email-luis.henriques@canonical.com> X-Mailer: git-send-email 1.8.3.2 X-Extended-Stable: 3.11 Cc: kernel-team@lists.ubuntu.com, Evan Huus X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com This is a note to let you know that I have just added a patch titled radiotap: fix bitmap-end-finding buffer overrun to the linux-3.11.y-queue branch of the 3.11.y.z extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.11.y-queue If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.11.y.z tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Luis ------ From 7898ebaa7102d73ffc7c49b1c79419f99edd4705 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Mon, 16 Dec 2013 12:04:36 +0100 Subject: radiotap: fix bitmap-end-finding buffer overrun commit bd02cd2549cfcdfc57cb5ce57ffc3feb94f70575 upstream. Evan Huus found (by fuzzing in wireshark) that the radiotap iterator code can access beyond the length of the buffer if the first bitmap claims an extension but then there's no data at all. Fix this. Reported-by: Evan Huus Signed-off-by: Johannes Berg Signed-off-by: Luis Henriques --- net/wireless/radiotap.c | 4 ++++ 1 file changed, 4 insertions(+) -- 1.8.3.2 diff --git a/net/wireless/radiotap.c b/net/wireless/radiotap.c index a271c27..722da61 100644 --- a/net/wireless/radiotap.c +++ b/net/wireless/radiotap.c @@ -124,6 +124,10 @@ int ieee80211_radiotap_iterator_init( /* find payload start allowing for extended bitmap(s) */ if (iterator->_bitmap_shifter & (1<_arg - + (unsigned long)iterator->_rtheader + sizeof(uint32_t) > + (unsigned long)iterator->_max_length) + return -EINVAL; while (get_unaligned_le32(iterator->_arg) & (1 << IEEE80211_RADIOTAP_EXT)) { iterator->_arg += sizeof(uint32_t);