diff options
author | Pavel Roskin <proski@gnu.org> | 2005-10-04 21:33:10 -0400 |
---|---|---|
committer | Jeff Garzik <jgarzik@pobox.com> | 2005-10-04 23:37:21 -0400 |
commit | 9bc39bec87ee3e35897fe27441e979e7c208f624 (patch) | |
tree | 7c46d832b837b4441f7f4e4465d908b0e3e02a36 | |
parent | bb77c03cf40fec911c4ce9610b8207bf0050a5fd (diff) |
[PATCH] orinoco: Information leakage due to incorrect padding
The orinoco driver can send uninitialized data exposing random pieces of
the system memory. This happens because data is not padded with zeroes
when its length needs to be increased.
Reported by Meder Kydyraliev <meder@o0o.nu>
Signed-off-by: Pavel Roskin <proski@gnu.org>
Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
-rw-r--r-- | drivers/net/wireless/orinoco.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/drivers/net/wireless/orinoco.c b/drivers/net/wireless/orinoco.c index 6deb7cc810cc..cf3daaa1b369 100644 --- a/drivers/net/wireless/orinoco.c +++ b/drivers/net/wireless/orinoco.c | |||
@@ -503,9 +503,14 @@ static int orinoco_xmit(struct sk_buff *skb, struct net_device *dev) | |||
503 | return 0; | 503 | return 0; |
504 | } | 504 | } |
505 | 505 | ||
506 | /* Length of the packet body */ | 506 | /* Check packet length, pad short packets, round up odd length */ |
507 | /* FIXME: what if the skb is smaller than this? */ | 507 | len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN); |
508 | len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN); | 508 | if (skb->len < len) { |
509 | skb = skb_padto(skb, len); | ||
510 | if (skb == NULL) | ||
511 | goto fail; | ||
512 | } | ||
513 | len -= ETH_HLEN; | ||
509 | 514 | ||
510 | eh = (struct ethhdr *)skb->data; | 515 | eh = (struct ethhdr *)skb->data; |
511 | 516 | ||
@@ -557,8 +562,7 @@ static int orinoco_xmit(struct sk_buff *skb, struct net_device *dev) | |||
557 | p = skb->data; | 562 | p = skb->data; |
558 | } | 563 | } |
559 | 564 | ||
560 | /* Round up for odd length packets */ | 565 | err = hermes_bap_pwrite(hw, USER_BAP, p, data_len, |
561 | err = hermes_bap_pwrite(hw, USER_BAP, p, ALIGN(data_len, 2), | ||
562 | txfid, data_off); | 566 | txfid, data_off); |
563 | if (err) { | 567 | if (err) { |
564 | printk(KERN_ERR "%s: Error %d writing packet to BAP\n", | 568 | printk(KERN_ERR "%s: Error %d writing packet to BAP\n", |