From b556b29c45022864d3cfdb710e4093e38dfff2e0 Mon Sep 17 00:00:00 2001
From: nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73>
Date: Wed, 23 May 2007 14:54:18 +0000
Subject: update madwifi to latest trunk (refcount and hal-0.9.30.13 got
 merged) and include a security fix that was merged in 0.9.3.1

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@7309 3c298f89-4303-0410-b956-a3cf2f4a3e73
---
 package/madwifi/patches/119-secfix_PR_1335.patch | 49 ++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 package/madwifi/patches/119-secfix_PR_1335.patch

(limited to 'package/madwifi/patches/119-secfix_PR_1335.patch')

diff --git a/package/madwifi/patches/119-secfix_PR_1335.patch b/package/madwifi/patches/119-secfix_PR_1335.patch
new file mode 100644
index 000000000..ecf3ddaad
--- /dev/null
+++ b/package/madwifi/patches/119-secfix_PR_1335.patch
@@ -0,0 +1,49 @@
+diff -ur madwifi.old/net80211/ieee80211_input.c madwifi.dev/net80211/ieee80211_input.c
+--- madwifi.old/net80211/ieee80211_input.c	2007-05-21 17:53:39.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_input.c	2007-05-23 16:50:21.097957392 +0200
+@@ -695,13 +695,31 @@
+ 
+ 			/* NB: assumes linear (i.e., non-fragmented) skb */
+ 
++			/* check length > header */
++			if (skb->len < sizeof(struct ether_header) + LLC_SNAPFRAMELEN
++			    + roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2) {
++				IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
++					ni->ni_macaddr, "data", "%s", "decap error");
++					vap->iv_stats.is_rx_decap++;
++				IEEE80211_NODE_STAT(ni, rx_decap);
++				goto err;
++			}
++
+ 			/* get to the tunneled headers */
+ 			ath_hdr = (struct athl2p_tunnel_hdr *)
+ 				skb_pull(skb, sizeof(struct ether_header) + LLC_SNAPFRAMELEN);
+- 			/* ignore invalid frames */
+-			if(ath_hdr == NULL)
++			eh_tmp = (struct ether_header *)
++				skb_pull(skb, roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2);
++			/* sanity check for malformed 802.3 length */
++			frame_len = ntohs(eh_tmp->ether_type);
++			if (skb->len < roundup(sizeof(struct ether_header) + frame_len, 4)) {
++				IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
++					ni->ni_macaddr, "data", "%s", "decap error");
++					vap->iv_stats.is_rx_decap++;
++				IEEE80211_NODE_STAT(ni, rx_decap);
+ 				goto err;
+-			
++			}
++
+ 			/* only implementing FF now. drop all others. */
+ 			if (ath_hdr->proto != ATH_L2TUNNEL_PROTO_FF) {
+ 				IEEE80211_DISCARD_MAC(vap,
+@@ -714,10 +732,6 @@
+ 			}
+ 			vap->iv_stats.is_rx_ffcnt++;
+ 			
+-			/* move past the tunneled header, with alignment */
+-			skb_pull(skb, roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2);
+-			eh_tmp = (struct ether_header *)skb->data;
+-			
+ 			/* ether_type must be length as FF frames are always LLC/SNAP encap'd */
+ 			frame_len = ntohs(eh_tmp->ether_type);
+ 
-- 
cgit v1.2.3