diff options
author | nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2006-12-09 21:38:50 +0000 |
---|---|---|
committer | nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2006-12-09 21:38:50 +0000 |
commit | 87ab1e6c667e4467edeed0ef82f6278068aad05a (patch) | |
tree | 8a10405cab5ef05f5246f2d7be6a8a7904fdc866 | |
parent | 3319f184b2c4c80aa1ea5e2789c50687ad3b4200 (diff) |
fix file encoding of madwifi security patch (trac gave me CRLF)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@5744 3c298f89-4303-0410-b956-a3cf2f4a3e73
-rw-r--r-- | package/madwifi/patches/105-security_patch_fix.patch | 54 |
1 files changed, 27 insertions, 27 deletions
diff --git a/package/madwifi/patches/105-security_patch_fix.patch b/package/madwifi/patches/105-security_patch_fix.patch index df0ea4d49..96dc17ac6 100644 --- a/package/madwifi/patches/105-security_patch_fix.patch +++ b/package/madwifi/patches/105-security_patch_fix.patch @@ -1,27 +1,27 @@ -The fix for CVE-2006-6332 in r1842 was not entirely correct. In
-encode_ie() the bound check did not consider that each byte from
-the IE causes two bytes to be written into buffer. That could
-lead to a kernel oops, but does not allow code injection. This is
-now fixed.
-
-Due to the type of this problem it does not trigger another
-urgent security bugfix release. v0.9.3 is at the door anyway.
-
-Reported-by: Joachim Gleisner <jg@suse.de>
-
-Index: trunk/net80211/ieee80211_wireless.c
-===================================================================
---- trunk/net80211/ieee80211_wireless.c (revision 1846)
-+++ trunk/net80211/ieee80211_wireless.c (revision 1847)
-@@ -1566,8 +1566,8 @@
- bufsize -= leader_len;
- p += leader_len;
-- if (bufsize < ielen)
-- return 0;
-- for (i = 0; i < ielen && bufsize > 2; i++)
-+ for (i = 0; i < ielen && bufsize > 2; i++) {
- p += sprintf(p, "%02x", ie[i]);
-+ bufsize -= 2;
-+ }
- return (i == ielen ? p - (u_int8_t *)buf : 0);
- }
+The fix for CVE-2006-6332 in r1842 was not entirely correct. In +encode_ie() the bound check did not consider that each byte from +the IE causes two bytes to be written into buffer. That could +lead to a kernel oops, but does not allow code injection. This is +now fixed. + +Due to the type of this problem it does not trigger another +urgent security bugfix release. v0.9.3 is at the door anyway. + +Reported-by: Joachim Gleisner <jg@suse.de> + +Index: trunk/net80211/ieee80211_wireless.c +=================================================================== +--- trunk/net80211/ieee80211_wireless.c (revision 1846) ++++ trunk/net80211/ieee80211_wireless.c (revision 1847) +@@ -1566,8 +1566,8 @@ + bufsize -= leader_len; + p += leader_len; +- if (bufsize < ielen) +- return 0; +- for (i = 0; i < ielen && bufsize > 2; i++) ++ for (i = 0; i < ielen && bufsize > 2; i++) { + p += sprintf(p, "%02x", ie[i]); ++ bufsize -= 2; ++ } + return (i == ielen ? p - (u_int8_t *)buf : 0); + } |