package/madwifi/patches/119-secfix_PR_1335.patch

   1 diff -urN madwifi-ng-r2377-20070526.old/net80211/ieee80211_input.c madwifi-ng-r2377-20070526.dev/net80211/ieee80211_input.c
   2 --- madwifi-ng-r2377-20070526.old/net80211/ieee80211_input.c    2007-05-21 17:53:39.000000000 +0200
   3 +++ madwifi-ng-r2377-20070526.dev/net80211/ieee80211_input.c    2007-05-26 18:51:09.027715120 +0200
   4 @@ -695,13 +695,31 @@
   5
   6                         /* NB: assumes linear (i.e., non-fragmented) skb */
   7
   8 +                       /* check length > header */
   9 +                       if (skb->len < sizeof(struct ether_header) + LLC_SNAPFRAMELEN
  10 +                           + roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2) {
  11 +                               IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
  12 +                                       ni->ni_macaddr, "data", "%s", "decap error");
  13 +                                       vap->iv_stats.is_rx_decap++;
  14 +                               IEEE80211_NODE_STAT(ni, rx_decap);
  15 +                               goto err;
  16 +                       }
  17 +
  18                         /* get to the tunneled headers */
  19                         ath_hdr = (struct athl2p_tunnel_hdr *)
  20                                 skb_pull(skb, sizeof(struct ether_header) + LLC_SNAPFRAMELEN);
  21 -                       /* ignore invalid frames */
  22 -                       if(ath_hdr == NULL)
  23 +                       eh_tmp = (struct ether_header *)
  24 +                               skb_pull(skb, roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2);
  25 +                       /* sanity check for malformed 802.3 length */
  26 +                       frame_len = ntohs(eh_tmp->ether_type);
  27 +                       if (skb->len < roundup(sizeof(struct ether_header) + frame_len, 4)) {
  28 +                               IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
  29 +                                       ni->ni_macaddr, "data", "%s", "decap error");
  30 +                                       vap->iv_stats.is_rx_decap++;
  31 +                               IEEE80211_NODE_STAT(ni, rx_decap);
  32                                 goto err;
  33 -
  34 +                       }
  35 +
  36                         /* only implementing FF now. drop all others. */
  37                         if (ath_hdr->proto != ATH_L2TUNNEL_PROTO_FF) {
  38                                 IEEE80211_DISCARD_MAC(vap,
  39 @@ -714,10 +732,6 @@
  40                         }
  41                         vap->iv_stats.is_rx_ffcnt++;
  42
  43 -                       /* move past the tunneled header, with alignment */
  44 -                       skb_pull(skb, roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2);
  45 -                       eh_tmp = (struct ether_header *)skb->data;
  46 -
  47                         /* ether_type must be length as FF frames are always LLC/SNAP encap'd */
  48                         frame_len = ntohs(eh_tmp->ether_type);
  49