aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPavel Roskin <proski@gnu.org>2005-10-04 21:33:10 -0400
committerJeff Garzik <jgarzik@pobox.com>2005-10-04 23:37:21 -0400
commit9bc39bec87ee3e35897fe27441e979e7c208f624 (patch)
tree7c46d832b837b4441f7f4e4465d908b0e3e02a36
parentbb77c03cf40fec911c4ce9610b8207bf0050a5fd (diff)
[PATCH] orinoco: Information leakage due to incorrect padding
The orinoco driver can send uninitialized data exposing random pieces of the system memory. This happens because data is not padded with zeroes when its length needs to be increased. Reported by Meder Kydyraliev <meder@o0o.nu> Signed-off-by: Pavel Roskin <proski@gnu.org> Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
-rw-r--r--drivers/net/wireless/orinoco.c14
1 files changed, 9 insertions, 5 deletions
diff --git a/drivers/net/wireless/orinoco.c b/drivers/net/wireless/orinoco.c
index 6deb7cc810cc..cf3daaa1b369 100644
--- a/drivers/net/wireless/orinoco.c
+++ b/drivers/net/wireless/orinoco.c
@@ -503,9 +503,14 @@ static int orinoco_xmit(struct sk_buff *skb, struct net_device *dev)
503 return 0; 503 return 0;
504 } 504 }
505 505
506 /* Length of the packet body */ 506 /* Check packet length, pad short packets, round up odd length */
507 /* FIXME: what if the skb is smaller than this? */ 507 len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN);
508 len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN); 508 if (skb->len < len) {
509 skb = skb_padto(skb, len);
510 if (skb == NULL)
511 goto fail;
512 }
513 len -= ETH_HLEN;
509 514
510 eh = (struct ethhdr *)skb->data; 515 eh = (struct ethhdr *)skb->data;
511 516
@@ -557,8 +562,7 @@ static int orinoco_xmit(struct sk_buff *skb, struct net_device *dev)
557 p = skb->data; 562 p = skb->data;
558 } 563 }
559 564
560 /* Round up for odd length packets */ 565 err = hermes_bap_pwrite(hw, USER_BAP, p, data_len,
561 err = hermes_bap_pwrite(hw, USER_BAP, p, ALIGN(data_len, 2),
562 txfid, data_off); 566 txfid, data_off);
563 if (err) { 567 if (err) {
564 printk(KERN_ERR "%s: Error %d writing packet to BAP\n", 568 printk(KERN_ERR "%s: Error %d writing packet to BAP\n",