Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
[PATCH] orinoco: Information leakage due to incorrect padding
The orinoco driver can send uninitialized data exposing random pieces of
the system memory. This happens because data is not padded with zeroes
when its length needs to be increased.
Reported by Meder Kydyraliev <meder@o0o.nu>
Signed-off-by: Pavel Roskin <proski@gnu.org>
Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
authored by Pavel Roskin and committed by Jeff Garzik 9bc39bec bb77c03c
+9
-5
drivers/net/wireless/orinoco.c
+9
-5
drivers/net/wireless/orinoco.c
···
503
return 0;
504
}
505
506
-
/* Length of the packet body */
507
-
/* FIXME: what if the skb is smaller than this? */
508
-
len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN);
509
510
eh = (struct ethhdr *)skb->data;
511
···
562
p = skb->data;
563
}
564
565
-
/* Round up for odd length packets */
566
-
err = hermes_bap_pwrite(hw, USER_BAP, p, ALIGN(data_len, 2),
567
txfid, data_off);
568
if (err) {
569
printk(KERN_ERR "%s: Error %d writing packet to BAP\n",
···
503
return 0;
504
}
505
506
+
/* Check packet length, pad short packets, round up odd length */
507
+
len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN);
508
+
if (skb->len < len) {
509
+
skb = skb_padto(skb, len);
510
+
if (skb == NULL)
511
+
goto fail;
512
+
}
513
+
len -= ETH_HLEN;
514
515
eh = (struct ethhdr *)skb->data;
516
···
557
p = skb->data;
558
}
559
560
+
err = hermes_bap_pwrite(hw, USER_BAP, p, data_len,
561
txfid, data_off);
562
if (err) {
563
printk(KERN_ERR "%s: Error %d writing packet to BAP\n",