On Tue, Oct 04, 2005 at 09:33:10PM -0400, Pavel Roskin wrote:
> orinoco: Information leakage due to incorrect padding
>
> The orinoco driver can send uninitialized data exposing random pieces of
> the system memory. This happens because data is not padded with zeroes
> when its length needs to be increased.
Issue itself looks valid in the current implementation, but a better fix
would be to just remove the padding.
> - /* Length of the packet body */
> - /* FIXME: what if the skb is smaller than this? */
> - len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN);
> + /* Check packet length, pad short packets, round up odd length */
> + len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN);
> + if (skb->len < len) {
> + skb = skb_padto(skb, len);
There is no ETH_ZLEN limit on IEEE 802.11 frames.
--
Jouni Malinen PGP id EFC895FA
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
|
