| From: Johannes Berg <johannes.berg@intel.com> |
| Date: Mon, 16 Dec 2013 12:04:36 +0100 |
| Subject: radiotap: fix bitmap-end-finding buffer overrun |
| |
| commit bd02cd2549cfcdfc57cb5ce57ffc3feb94f70575 upstream. |
| |
| Evan Huus found (by fuzzing in wireshark) that the radiotap |
| iterator code can access beyond the length of the buffer if |
| the first bitmap claims an extension but then there's no |
| data at all. Fix this. |
| |
| Reported-by: Evan Huus <eapache@gmail.com> |
| Signed-off-by: Johannes Berg <johannes.berg@intel.com> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| net/wireless/radiotap.c | 4 ++++ |
| 1 file changed, 4 insertions(+) |
| |
| --- a/net/wireless/radiotap.c |
| +++ b/net/wireless/radiotap.c |
| @@ -122,6 +122,10 @@ int ieee80211_radiotap_iterator_init( |
| /* find payload start allowing for extended bitmap(s) */ |
| |
| if (iterator->_bitmap_shifter & (1<<IEEE80211_RADIOTAP_EXT)) { |
| + if ((unsigned long)iterator->_arg - |
| + (unsigned long)iterator->_rtheader + sizeof(uint32_t) > |
| + (unsigned long)iterator->_max_length) |
| + return -EINVAL; |
| while (get_unaligned_le32(iterator->_arg) & |
| (1 << IEEE80211_RADIOTAP_EXT)) { |
| iterator->_arg += sizeof(uint32_t); |
