--- /dev/null
+From stable-bounces@linux.kernel.org Tue Oct 4 20:36:20 2005
+ padding
+Date: Tue, 04 Oct 2005 21:33:10 -0400
+From: Pavel Roskin <proski@gnu.org>
+To: orinoco-devel <orinoco-devel@lists.sourceforge.net>, NetDev <netdev@vger.kernel.org>
+Cc: Meder Kydyraliev <meder@o0o.nu>
+Subject: [PATCH] orinoco: Information leakage due to incorrect padding
+
+The orinoco driver can send uninitialized data exposing random pieces of
+the system memory. This happens because data is not padded with zeroes
+when its length needs to be increased.
+
+Reported by Meder Kydyraliev <meder@o0o.nu>
+
+Please try to get it to Linux 2.6.14 and maybe even 2.6.13.y. It's a
+security issue.
+
+Signed-off-by: Pavel Roskin <proski@gnu.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ drivers/net/wireless/orinoco.c | 14 +++++++++-----
+ 1 files changed, 9 insertions(+), 5 deletions(-)
+
+Index: linux-2.6.13.y/drivers/net/wireless/orinoco.c
+===================================================================
+--- linux-2.6.13.y.orig/drivers/net/wireless/orinoco.c
++++ linux-2.6.13.y/drivers/net/wireless/orinoco.c
+@@ -502,9 +502,14 @@ static int orinoco_xmit(struct sk_buff *
+ return 0;
+ }
+
+- /* Length of the packet body */
+- /* FIXME: what if the skb is smaller than this? */
+- len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN);
++ /* Check packet length, pad short packets, round up odd length */
++ len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN);
++ if (skb->len < len) {
++ skb = skb_padto(skb, len);
++ if (skb == NULL)
++ goto fail;
++ }
++ len -= ETH_HLEN;
+
+ eh = (struct ethhdr *)skb->data;
+
+@@ -556,8 +561,7 @@ static int orinoco_xmit(struct sk_buff *
+ p = skb->data;
+ }
+
+- /* Round up for odd length packets */
+- err = hermes_bap_pwrite(hw, USER_BAP, p, ALIGN(data_len, 2),
++ err = hermes_bap_pwrite(hw, USER_BAP, p, data_len,
+ txfid, data_off);
+ if (err) {
+ printk(KERN_ERR "%s: Error %d writing packet to BAP\n",
projects / thirdparty / kernel / stable-queue.git / commitdiff
