diff options
author | nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2007-05-13 16:24:11 +0000 |
---|---|---|
committer | nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2007-05-13 16:24:11 +0000 |
commit | 54ed8f47fffe88f47fae7808af5ea4931f7362aa (patch) | |
tree | 9b89adcf04754dd2c1624be5df3b9cab6b18dbef /package/madwifi/patches/105-security_patch_fix.patch | |
parent | 33942f4fdc4ec3f7a9814f0d3adb36b7ec2628da (diff) |
huge madwifi update - use a madwifi-ng-refcount snapshot as base, includes lots of bugfixes and performance enhancements
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@7211 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'package/madwifi/patches/105-security_patch_fix.patch')
-rw-r--r-- | package/madwifi/patches/105-security_patch_fix.patch | 27 |
1 files changed, 0 insertions, 27 deletions
diff --git a/package/madwifi/patches/105-security_patch_fix.patch b/package/madwifi/patches/105-security_patch_fix.patch deleted file mode 100644 index 96dc17ac6..000000000 --- a/package/madwifi/patches/105-security_patch_fix.patch +++ /dev/null @@ -1,27 +0,0 @@ -The fix for CVE-2006-6332 in r1842 was not entirely correct. In -encode_ie() the bound check did not consider that each byte from -the IE causes two bytes to be written into buffer. That could -lead to a kernel oops, but does not allow code injection. This is -now fixed. - -Due to the type of this problem it does not trigger another -urgent security bugfix release. v0.9.3 is at the door anyway. - -Reported-by: Joachim Gleisner <jg@suse.de> - -Index: trunk/net80211/ieee80211_wireless.c -=================================================================== ---- trunk/net80211/ieee80211_wireless.c (revision 1846) -+++ trunk/net80211/ieee80211_wireless.c (revision 1847) -@@ -1566,8 +1566,8 @@ - bufsize -= leader_len; - p += leader_len; -- if (bufsize < ielen) -- return 0; -- for (i = 0; i < ielen && bufsize > 2; i++) -+ for (i = 0; i < ielen && bufsize > 2; i++) { - p += sprintf(p, "%02x", ie[i]); -+ bufsize -= 2; -+ } - return (i == ielen ? p - (u_int8_t *)buf : 0); - } |