[PATCH] orinoco: Information leakage due to incorrect padding
[Posted October 18, 2005 by corbet]
| From: |
| Linux Kernel Mailing List <linux-kernel-AT-vger.kernel.org> |
| To: |
| git-commits-head-AT-vger.kernel.org |
| Subject: |
| [PATCH] orinoco: Information leakage due to incorrect padding |
| Date: |
| Wed, 5 Oct 2005 06:59:22 -0700 |
tree 7c46d832b837b4441f7f4e4465d908b0e3e02a36
parent bb77c03cf40fec911c4ce9610b8207bf0050a5fd
author Pavel Roskin <proski@gnu.org> Wed, 05 Oct 2005 05:33:10 -0400
committer Jeff Garzik <jgarzik@pobox.com> Wed, 05 Oct 2005 07:37:21 -0400
[PATCH] orinoco: Information leakage due to incorrect padding
The orinoco driver can send uninitialized data exposing random pieces of
the system memory. This happens because data is not padded with zeroes
when its length needs to be increased.
Reported by Meder Kydyraliev <meder@o0o.nu>
Signed-off-by: Pavel Roskin <proski@gnu.org>
Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
drivers/net/wireless/orinoco.c | 14 +++++++++-----
1 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/orinoco.c b/drivers/net/wireless/orinoco.c
--- a/drivers/net/wireless/orinoco.c
+++ b/drivers/net/wireless/orinoco.c
@@ -503,9 +503,14 @@ static int orinoco_xmit(struct sk_buff *
return 0;
}
- /* Length of the packet body */
- /* FIXME: what if the skb is smaller than this? */
- len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN);
+ /* Check packet length, pad short packets, round up odd length */
+ len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN);
+ if (skb->len < len) {
+ skb = skb_padto(skb, len);
+ if (skb == NULL)
+ goto fail;
+ }
+ len -= ETH_HLEN;
eh = (struct ethhdr *)skb->data;
@@ -557,8 +562,7 @@ static int orinoco_xmit(struct sk_buff *
p = skb->data;
}
- /* Round up for odd length packets */
- err = hermes_bap_pwrite(hw, USER_BAP, p, ALIGN(data_len, 2),
+ err = hermes_bap_pwrite(hw, USER_BAP, p, data_len,
txfid, data_off);
if (err) {
printk(KERN_ERR "%s: Error %d writing packet to BAP\n",