netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH SECURITY]: orinoco: Information leakage due to incorrect padding
@ 2005-10-05  1:33 Pavel Roskin
  2005-10-07  3:25 ` Jouni Malinen
  0 siblings, 1 reply; 3+ messages in thread
From: Pavel Roskin @ 2005-10-05  1:33 UTC (permalink / raw)
  To: orinoco-devel, NetDev; +Cc: Meder Kydyraliev

orinoco: Information leakage due to incorrect padding

The orinoco driver can send uninitialized data exposing random pieces of
the system memory.  This happens because data is not padded with zeroes
when its length needs to be increased.

Reported by Meder Kydyraliev <meder-ljIgrh4ImVw@public.gmane.org>

Please try to get it to Linux 2.6.14 and maybe even 2.6.13.y.  It's a
security issue.

Signed-off-by: Pavel Roskin <proski-mXXj517/zsQ@public.gmane.org>

diff --git a/drivers/net/wireless/orinoco.c b/drivers/net/wireless/orinoco.c
--- a/drivers/net/wireless/orinoco.c
+++ b/drivers/net/wireless/orinoco.c
@@ -490,9 +490,14 @@ static int orinoco_xmit(struct sk_buff *
 		return 0;
 	}
 
-	/* Length of the packet body */
-	/* FIXME: what if the skb is smaller than this? */
-	len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN);
+	/* Check packet length, pad short packets, round up odd length */
+	len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN);
+	if (skb->len < len) {
+		skb = skb_padto(skb, len);
+		if (skb == NULL)
+			goto fail;
+	}
+	len -= ETH_HLEN;
 
 	eh = (struct ethhdr *)skb->data;
 
@@ -544,8 +549,7 @@ static int orinoco_xmit(struct sk_buff *
 		p = skb->data;
 	}
 
-	/* Round up for odd length packets */
-	err = hermes_bap_pwrite(hw, USER_BAP, p, ALIGN(data_len, 2),
+	err = hermes_bap_pwrite(hw, USER_BAP, p, data_len,
 				txfid, data_off);
 	if (err) {
 		printk(KERN_ERR "%s: Error %d writing packet to BAP\n",


-- 
Regards,
Pavel Roskin



-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH SECURITY]: orinoco: Information leakage due to incorrect padding
  2005-10-05  1:33 [PATCH SECURITY]: orinoco: Information leakage due to incorrect padding Pavel Roskin
@ 2005-10-07  3:25 ` Jouni Malinen
       [not found]   ` <20051007032537.GB3936-mgr6C1c9aYeHXe+LvDLADg@public.gmane.org>
  0 siblings, 1 reply; 3+ messages in thread
From: Jouni Malinen @ 2005-10-07  3:25 UTC (permalink / raw)
  To: Pavel Roskin; +Cc: orinoco-devel, NetDev, Meder Kydyraliev

On Tue, Oct 04, 2005 at 09:33:10PM -0400, Pavel Roskin wrote:

> orinoco: Information leakage due to incorrect padding
> 
> The orinoco driver can send uninitialized data exposing random pieces of
> the system memory.  This happens because data is not padded with zeroes
> when its length needs to be increased.

Issue itself looks valid in the current implementation, but a better fix
would be to just remove the padding.

> -	/* Length of the packet body */
> -	/* FIXME: what if the skb is smaller than this? */
> -	len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN);
> +	/* Check packet length, pad short packets, round up odd length */
> +	len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN);
> +	if (skb->len < len) {
> +		skb = skb_padto(skb, len);

There is no ETH_ZLEN limit on IEEE 802.11 frames.

-- 
Jouni Malinen                                            PGP id EFC895FA


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH SECURITY]: orinoco: Information leakage due to incorrect padding
       [not found]   ` <20051007032537.GB3936-mgr6C1c9aYeHXe+LvDLADg@public.gmane.org>
@ 2005-10-07 13:39     ` Pavel Roskin
  0 siblings, 0 replies; 3+ messages in thread
From: Pavel Roskin @ 2005-10-07 13:39 UTC (permalink / raw)
  To: Jouni Malinen; +Cc: orinoco-devel, NetDev, Meder Kydyraliev

Hi, Jouni!

On Thu, 2005-10-06 at 20:25 -0700, Jouni Malinen wrote:
> On Tue, Oct 04, 2005 at 09:33:10PM -0400, Pavel Roskin wrote:
> 
> > orinoco: Information leakage due to incorrect padding
> > 
> > The orinoco driver can send uninitialized data exposing random pieces of
> > the system memory.  This happens because data is not padded with zeroes
> > when its length needs to be increased.
> 
> Issue itself looks valid in the current implementation, but a better fix
> would be to just remove the padding.

Thank you!  With you and Jean saying that, I'm pretty much reassured
now :-)

I'll do it in Orinoco CVS soon and then I'll submit the patch.

The patch I posted is actually a simplified version of the patch
actually applied to the orinoco CVS, to make it as safe as possible for
Linux 2.6.14 inclusion.

-- 
Regards,
Pavel Roskin



-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-10-07 13:39 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-10-05  1:33 [PATCH SECURITY]: orinoco: Information leakage due to incorrect padding Pavel Roskin
2005-10-07  3:25 ` Jouni Malinen
     [not found]   ` <20051007032537.GB3936-mgr6C1c9aYeHXe+LvDLADg@public.gmane.org>
2005-10-07 13:39     ` Pavel Roskin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).