github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 14:42:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
bfddde1b40
linux/net
History
Johannes Berg add8ec07b2 wireless: radiotap: fix parsing buffer overrun 
commit f5563318ff upstream.

When parsing an invalid radiotap header, the parser can overrun
the buffer that is passed in because it doesn't correctly check
 1) the minimum radiotap header size
 2) the space for extended bitmaps

The first issue doesn't affect any in-kernel user as they all
check the minimum size before calling the radiotap function.
The second issue could potentially affect the kernel if an skb
is passed in that consists only of the radiotap header with a
lot of extended bitmaps that extend past the SKB. In that case
a read-only buffer overrun by at most 4 bytes is possible.

Fix this by adding the appropriate checks to the parser.

Reported-by: Evan Huus <eapache@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-04 04:31:06 -08:00
..
9p 9p: fix off by one causing access violations and memory corruption 2013-07-28 16:29:58 -07:00
802 net/802/mrp: fix lockdep splat 2013-05-14 13:02:30 -07:00
8021q net: vlan: fix nlmsg size calculation in vlan_get_size() 2013-11-04 04:31:02 -08:00
appletalk appletalk: info leak in ->getname() 2013-04-25 01:47:58 -04:00
atm Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
ax25 ax25: fix info leak via msg_name in ax25_recvmsg() 2013-04-07 16:28:00 -04:00
batman-adv batman-adv: Don't handle address updates when bla is disabled 2013-06-10 08:42:18 +02:00
bluetooth Bluetooth: Fix rfkill functionality during the HCI setup stage 2013-10-13 16:08:32 -07:00
bridge bridge: Correctly clamp MAX forward_delay when enabling STP 2013-11-04 04:31:03 -08:00
caif caif: Add missing braces to multiline if in cfctrl_linkup_request 2013-10-13 16:08:28 -07:00
can Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
ceph libceph: use pg_num_mask instead of pgp_num_mask for pg.seed calc 2013-09-26 17:18:29 -07:00
core net: secure_seq: Fix warning when CONFIG_IPV6 and CONFIG_INET are not selected 2013-11-04 04:31:01 -08:00
dcb rtnetlink: Remove passing of attributes into rtnl_doit functions 2013-03-22 10:31:16 -04:00
dccp net:dccp: do not report ICMP redirects to user space 2013-10-13 16:08:30 -07:00
decnet decnet: remove duplicated include from dn_table.c 2013-04-07 17:12:01 -04:00
dns_resolver
dsa dsa: fix freeing of sparse port allocation 2013-03-25 12:23:41 -04:00
ethernet net: add ETH_P_802_3_MIN 2013-03-28 01:20:42 -04:00
ieee802154 ieee802154/nl-mac.c: make some MLME operations optional 2013-04-08 12:00:16 -04:00
ipv4 inet: fix possible memory corruption with UDP_CORK and UFO 2013-11-04 04:31:05 -08:00
ipv6 ipv6: probe routes asynchronous in rt6_probe 2013-11-04 04:31:05 -08:00
ipx
irda net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. 2013-05-19 15:10:47 -07:00
iucv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-04-22 20:32:51 -04:00
key af_key: more info leaks in pfkey messages 2013-08-11 18:35:25 -07:00
l2tp l2tp: must disable bh before calling l2tp_xmit_skb() 2013-11-04 04:31:02 -08:00
lapb
llc llc: Fix missing msg_namelen update in llc_ui_recvmsg() 2013-04-07 16:28:01 -04:00
mac80211 mac80211: add a flag to indicate CCK support for HT clients 2013-09-07 22:09:59 -07:00
mac802154 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-04-30 03:55:20 -04:00
netfilter netfilter: nf_conntrack: fix rt6i_gateway checks for H.323 helper 2013-11-04 04:31:05 -08:00
netlabel netlabel: improve domain mapping validation 2013-05-19 14:49:55 -07:00
netlink genl: Hold reference on correct module while netlink-dump. 2013-09-14 06:54:55 -07:00
netrom netrom: info leak in ->getname() 2013-04-25 01:47:58 -04:00
nfc NFC: llcp: Fix non blocking sockets connections 2013-08-29 09:47:30 -07:00
openvswitch openvswitch: Remove unneeded ovs_netdev_get_ifindex() 2013-04-30 00:19:11 -04:00
packet packet: restore packet statistics tp_packets to include drops 2013-09-14 06:54:55 -07:00
phonet rtnetlink: Remove passing of attributes into rtnl_doit functions 2013-03-22 10:31:16 -04:00
rds net/rds: zero last byte for strncpy 2013-03-08 00:35:44 -05:00
rfkill Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next 2013-04-22 14:58:14 -04:00
rose rose: fix info leak via msg_name in rose_recvmsg() 2013-04-07 16:28:02 -04:00
rxrpc
sched net_sched: htb: fix a typo in htb_change_class() 2013-10-13 16:08:29 -07:00
sctp sctp: Perform software checksum if packet has to be fragmented. 2013-11-04 04:31:04 -08:00
sunrpc rpc: let xdr layer allocate gssproxy receieve pages 2013-10-01 09:17:48 -07:00
tipc tipc: set sk_err correctly when connection fails 2013-09-14 06:54:56 -07:00
unix net: unix: inherit SOCK_PASS{CRED, SEC} flags from socket to fix race 2013-11-04 04:31:04 -08:00
vmw_vsock Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-04-30 03:55:20 -04:00
wimax
wireless wireless: radiotap: fix parsing buffer overrun 2013-11-04 04:31:06 -08:00
x25 x25: Fix broken locking in ioctl error paths. 2013-07-28 16:29:45 -07:00
xfrm xfrm: force a garbage collection after deleting a policy 2013-05-31 17:30:07 -07:00
compat.c net: heap overflow in __audit_sockaddr() 2013-11-04 04:31:00 -08:00
Kconfig netlink: kconfig: move mmap i/o into netlink kconfig 2013-05-01 15:02:42 -04:00
Makefile
nonet.c
socket.c net: heap overflow in __audit_sockaddr() 2013-11-04 04:31:00 -08:00
sysctl_net.c net: Update the sysctl permissions handler to test effective uid/gid 2013-10-13 16:08:34 -07:00