Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / f5563318ff1bde15b10e736e97ffce13be08bc1a
commitf5563318ff1bde15b10e736e97ffce13be08bc1a[log] [tgz]
authorJohannes Berg <johannes.berg@intel.com>Fri Oct 11 14:47:05 2013 +0200
committerJohannes Berg <johannes.berg@intel.com>Mon Oct 14 09:47:00 2013 +0200
treeba7cbabe2a7b788c2dc59aea858ef95a1537b8a4
parentf38dd58ccca0d612e62509f75e99952dcf316cb2 [diff]
wireless: radiotap: fix parsing buffer overrun

When parsing an invalid radiotap header, the parser can overrun
the buffer that is passed in because it doesn't correctly check
 1) the minimum radiotap header size
 2) the space for extended bitmaps

The first issue doesn't affect any in-kernel user as they all
check the minimum size before calling the radiotap function.
The second issue could potentially affect the kernel if an skb
is passed in that consists only of the radiotap header with a
lot of extended bitmaps that extend past the SKB. In that case
a read-only buffer overrun by at most 4 bytes is possible.

Fix this by adding the appropriate checks to the parser.

Cc: stable@vger.kernel.org
Reported-by: Evan Huus <eapache@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1 file changed
tree: ba7cbabe2a7b788c2dc59aea858ef95a1537b8a4
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS