package/mac80211/patches/415-mac80211-fix-exploit.patch

   1 Subject: mac80211: fix HT information element parsing
   2
   3 There's no checking that the HT IEs are of the right length
   4 which can be used by an attacker to cause an out-of-bounds
   5 access by sending a too short HT information/capability IE.
   6 Fix it by simply pretending those IEs didn't exist when too
   7 short.
   8
   9 Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
  10 ---
  11  net/mac80211/ieee80211_i.h |    6 ++----
  12  net/mac80211/mlme.c        |    3 ---
  13  net/mac80211/util.c        |    8 ++++----
  14  3 files changed, 6 insertions(+), 11 deletions(-)
  15
  16 --- everything.orig/net/mac80211/ieee80211_i.h  2008-10-07 20:05:26.000000000 +0200
  17 +++ everything/net/mac80211/ieee80211_i.h       2008-10-07 20:06:45.000000000 +0200
  18 @@ -816,8 +816,8 @@ struct ieee802_11_elems {
  19         u8 *ext_supp_rates;
  20         u8 *wmm_info;
  21         u8 *wmm_param;
  22 -       u8 *ht_cap_elem;
  23 -       u8 *ht_info_elem;
  24 +       struct ieee80211_ht_cap *ht_cap_elem;
  25 +       struct ieee80211_ht_addt_info *ht_info_elem;
  26         u8 *mesh_config;
  27         u8 *mesh_id;
  28         u8 *peer_link;
  29 @@ -844,8 +844,6 @@ struct ieee802_11_elems {
  30         u8 ext_supp_rates_len;
  31         u8 wmm_info_len;
  32         u8 wmm_param_len;
  33 -       u8 ht_cap_elem_len;
  34 -       u8 ht_info_elem_len;
  35         u8 mesh_config_len;
  36         u8 mesh_id_len;
  37         u8 peer_link_len;
  38 --- everything.orig/net/mac80211/mlme.c 2008-10-07 20:06:44.000000000 +0200
  39 +++ everything/net/mac80211/mlme.c      2008-10-07 20:06:45.000000000 +0200
  40 @@ -1349,10 +1349,8 @@ static void ieee80211_rx_mgmt_assoc_resp
  41             (ifsta->flags & IEEE80211_STA_WMM_ENABLED)) {
  42                 struct ieee80211_ht_bss_info bss_info;
  43                 ieee80211_ht_cap_ie_to_ht_info(
  44 -                               (struct ieee80211_ht_cap *)
  45                                 elems.ht_cap_elem, &sta->sta.ht_info);
  46                 ieee80211_ht_addt_info_ie_to_ht_bss_info(
  47 -                               (struct ieee80211_ht_addt_info *)
  48                                 elems.ht_info_elem, &bss_info);
  49                 ieee80211_handle_ht(local, 1, &sta->sta.ht_info, &bss_info);
  50         }
  51 @@ -1715,7 +1713,6 @@ static void ieee80211_rx_mgmt_beacon(str
  52                 struct ieee80211_ht_bss_info bss_info;
  53
  54                 ieee80211_ht_addt_info_ie_to_ht_bss_info(
  55 -                               (struct ieee80211_ht_addt_info *)
  56                                 elems.ht_info_elem, &bss_info);
  57                 changed |= ieee80211_handle_ht(local, 1, &conf->ht_conf,
  58                                                &bss_info);
  59 --- everything.orig/net/mac80211/util.c 2008-10-07 20:06:43.000000000 +0200
  60 +++ everything/net/mac80211/util.c      2008-10-07 20:06:45.000000000 +0200
  61 @@ -529,12 +529,12 @@ void ieee802_11_parse_elems(u8 *start, s
  62                         elems->ext_supp_rates_len = elen;
  63                         break;
  64                 case WLAN_EID_HT_CAPABILITY:
  65 -                       elems->ht_cap_elem = pos;
  66 -                       elems->ht_cap_elem_len = elen;
  67 +                       if (elen >= sizeof(struct ieee80211_ht_cap))
  68 +                               elems->ht_cap_elem = (void *)pos;
  69                         break;
  70                 case WLAN_EID_HT_EXTRA_INFO:
  71 -                       elems->ht_info_elem = pos;
  72 -                       elems->ht_info_elem_len = elen;
  73 +                       if (elen >= sizeof(struct ieee80211_ht_addt_info))
  74 +                               elems->ht_info_elem = (void *)pos;
  75                         break;
  76                 case WLAN_EID_MESH_ID:
  77                         elems->mesh_id = pos;