From: Chris Wright Date: Wed, 5 Oct 2005 19:01:46 +0000 (-0700) Subject: Add fix for orinoco information leak, fwd from jgarzik X-Git-Tag: v2.6.13.4~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=93ac0f35beb866c5c45434d8065dd671cde91d7f;p=thirdparty%2Fkernel%2Fstable-queue.git Add fix for orinoco information leak, fwd from jgarzik --- diff --git a/queue/orinoco-info-leak.patch b/queue/orinoco-info-leak.patch new file mode 100644 index 00000000000..bf6fd72987f --- /dev/null +++ b/queue/orinoco-info-leak.patch @@ -0,0 +1,56 @@ +From stable-bounces@linux.kernel.org Tue Oct 4 20:36:20 2005 + padding +Date: Tue, 04 Oct 2005 21:33:10 -0400 +From: Pavel Roskin +To: orinoco-devel , NetDev +Cc: Meder Kydyraliev +Subject: [PATCH] orinoco: Information leakage due to incorrect padding + +The orinoco driver can send uninitialized data exposing random pieces of +the system memory. This happens because data is not padded with zeroes +when its length needs to be increased. + +Reported by Meder Kydyraliev + +Please try to get it to Linux 2.6.14 and maybe even 2.6.13.y. It's a +security issue. + +Signed-off-by: Pavel Roskin +Signed-off-by: Chris Wright +--- + + drivers/net/wireless/orinoco.c | 14 +++++++++----- + 1 files changed, 9 insertions(+), 5 deletions(-) + +Index: linux-2.6.13.y/drivers/net/wireless/orinoco.c +=================================================================== +--- linux-2.6.13.y.orig/drivers/net/wireless/orinoco.c ++++ linux-2.6.13.y/drivers/net/wireless/orinoco.c +@@ -502,9 +502,14 @@ static int orinoco_xmit(struct sk_buff * + return 0; + } + +- /* Length of the packet body */ +- /* FIXME: what if the skb is smaller than this? */ +- len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN); ++ /* Check packet length, pad short packets, round up odd length */ ++ len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN); ++ if (skb->len < len) { ++ skb = skb_padto(skb, len); ++ if (skb == NULL) ++ goto fail; ++ } ++ len -= ETH_HLEN; + + eh = (struct ethhdr *)skb->data; + +@@ -556,8 +561,7 @@ static int orinoco_xmit(struct sk_buff * + p = skb->data; + } + +- /* Round up for odd length packets */ +- err = hermes_bap_pwrite(hw, USER_BAP, p, ALIGN(data_len, 2), ++ err = hermes_bap_pwrite(hw, USER_BAP, p, data_len, + txfid, data_off); + if (err) { + printk(KERN_ERR "%s: Error %d writing packet to BAP\n", diff --git a/queue/series b/queue/series index fa4159f2824..1f422a055c3 100644 --- a/queue/series +++ b/queue/series @@ -1 +1,2 @@ ieee1394-sbp2-fixes-for-hot-unplug-and-module-unloading.patch +orinoco-info-leak.patch