User: Password:
|
|
Subscribe / Log in / New account

[PATCH] orinoco: Information leakage due to incorrect padding

From:  Linux Kernel Mailing List <linux-kernel-AT-vger.kernel.org>
To:  git-commits-head-AT-vger.kernel.org
Subject:  [PATCH] orinoco: Information leakage due to incorrect padding
Date:  Wed, 5 Oct 2005 06:59:22 -0700
Archive-link:  Article, Thread

tree 7c46d832b837b4441f7f4e4465d908b0e3e02a36
parent bb77c03cf40fec911c4ce9610b8207bf0050a5fd
author Pavel Roskin <proski@gnu.org> Wed, 05 Oct 2005 05:33:10 -0400
committer Jeff Garzik <jgarzik@pobox.com> Wed, 05 Oct 2005 07:37:21 -0400

[PATCH] orinoco: Information leakage due to incorrect padding

The orinoco driver can send uninitialized data exposing random pieces of
the system memory.  This happens because data is not padded with zeroes
when its length needs to be increased.

Reported by Meder Kydyraliev <meder@o0o.nu>

Signed-off-by: Pavel Roskin <proski@gnu.org>
Signed-off-by: Jeff Garzik <jgarzik@pobox.com>

 drivers/net/wireless/orinoco.c |   14 +++++++++-----
 1 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/drivers/net/wireless/orinoco.c b/drivers/net/wireless/orinoco.c
--- a/drivers/net/wireless/orinoco.c
+++ b/drivers/net/wireless/orinoco.c
@@ -503,9 +503,14 @@ static int orinoco_xmit(struct sk_buff *
 		return 0;
 	}
 
-	/* Length of the packet body */
-	/* FIXME: what if the skb is smaller than this? */
-	len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN);
+	/* Check packet length, pad short packets, round up odd length */
+	len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN);
+	if (skb->len < len) {
+		skb = skb_padto(skb, len);
+		if (skb == NULL)
+			goto fail;
+	}
+	len -= ETH_HLEN;
 
 	eh = (struct ethhdr *)skb->data;
 
@@ -557,8 +562,7 @@ static int orinoco_xmit(struct sk_buff *
 		p = skb->data;
 	}
 
-	/* Round up for odd length packets */
-	err = hermes_bap_pwrite(hw, USER_BAP, p, ALIGN(data_len, 2),
+	err = hermes_bap_pwrite(hw, USER_BAP, p, data_len,
 				txfid, data_off);
 	if (err) {
 		printk(KERN_ERR "%s: Error %d writing packet to BAP\n",


(Log in to post comments)


Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds