1 From stable-bounces@linux.kernel.org Tue Oct 4 20:36:20 2005
2 Date: Tue, 04 Oct 2005 21:33:10 -0400
3 From: Pavel Roskin <proski@gnu.org>
4 To: orinoco-devel <orinoco-devel@lists.sourceforge.net>, NetDev <netdev@vger.kernel.org>
5 Cc: Meder Kydyraliev <meder@o0o.nu>
6 Subject: [PATCH] orinoco: Information leakage due to incorrect padding
8 The orinoco driver can send uninitialized data exposing random pieces of
9 the system memory. This happens because data is not padded with zeroes
10 when its length needs to be increased.
12 Reported by Meder Kydyraliev <meder@o0o.nu>
14 Signed-off-by: Pavel Roskin <proski@gnu.org>
15 Signed-off-by: Chris Wright <chrisw@osdl.org>
16 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
18 drivers/net/wireless/orinoco.c | 14 +++++++++-----
19 1 file changed, 9 insertions(+), 5 deletions(-)
21 --- linux-2.6.13.y.orig/drivers/net/wireless/orinoco.c
22 +++ linux-2.6.13.y/drivers/net/wireless/orinoco.c
23 @@ -502,9 +502,14 @@ static int orinoco_xmit(struct sk_buff *
27 - /* Length of the packet body */
28 - /* FIXME: what if the skb is smaller than this? */
29 - len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN);
30 + /* Check packet length, pad short packets, round up odd length */
31 + len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN);
32 + if (skb->len < len) {
33 + skb = skb_padto(skb, len);
39 eh = (struct ethhdr *)skb->data;
41 @@ -556,8 +561,7 @@ static int orinoco_xmit(struct sk_buff *
45 - /* Round up for odd length packets */
46 - err = hermes_bap_pwrite(hw, USER_BAP, p, ALIGN(data_len, 2),
47 + err = hermes_bap_pwrite(hw, USER_BAP, p, data_len,
50 printk(KERN_ERR "%s: Error %d writing packet to BAP\n",
projects / thirdparty / kernel / stable-queue.git / blob