On Fri, 2013-10-11 at 14:53 +0200, Johannes Berg wrote: > From: Johannes Berg <johannes.berg@xxxxxxxxx> > > When parsing an invalid radiotap header, the parser can overrun > the buffer that is passed in because it doesn't correctly check > 1) the minimum radiotap header size > 2) the space for extended bitmaps > > The first issue doesn't affect any in-kernel user as they all > check the minimum size before calling the radiotap function. > The second issue could potentially affect the kernel if an skb > is passed in that consists only of the radiotap header with a > lot of extended bitmaps that extend past the SKB. In that case > a read-only buffer overrun by at most 4 bytes is possible. > > Fix this by adding the appropriate checks to the parser. Applied (with another fix pointed out by Evan) johannes -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
