Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Linux Kernel Mailing List <linux-kernel <at> vger.kernel.org>
Subject: [PATCH] orinoco: Information leakage due to incorrect padding
Newsgroups: gmane.linux.kernel.commits.head
Date: Wednesday 5th October 2005 13:59:22 UTC (over 11 years ago)
tree 7c46d832b837b4441f7f4e4465d908b0e3e02a36
parent bb77c03cf40fec911c4ce9610b8207bf0050a5fd
author Pavel Roskin  Wed, 05 Oct 2005 05:33:10 -0400
committer Jeff Garzik <[email protected]> Wed, 05 Oct 2005 07:37:21 -0400

[PATCH] orinoco: Information leakage due to incorrect padding

The orinoco driver can send uninitialized data exposing random pieces of
the system memory.  This happens because data is not padded with zeroes
when its length needs to be increased.

Reported by Meder Kydyraliev 

Signed-off-by: Pavel Roskin 
Signed-off-by: Jeff Garzik <[email protected]>

 drivers/net/wireless/orinoco.c |   14 +++++++++-----
 1 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/drivers/net/wireless/orinoco.c
b/drivers/net/wireless/orinoco.c
--- a/drivers/net/wireless/orinoco.c
+++ b/drivers/net/wireless/orinoco.c
@@ -503,9 +503,14 @@ static int orinoco_xmit(struct sk_buff *
 		return 0;
 	}
 
-	/* Length of the packet body */
-	/* FIXME: what if the skb is smaller than this? */
-	len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN);
+	/* Check packet length, pad short packets, round up odd length */
+	len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN);
+	if (skb->len < len) {
+		skb = skb_padto(skb, len);
+		if (skb == NULL)
+			goto fail;
+	}
+	len -= ETH_HLEN;
 
 	eh = (struct ethhdr *)skb->data;
 
@@ -557,8 +562,7 @@ static int orinoco_xmit(struct sk_buff *
 		p = skb->data;
 	}
 
-	/* Round up for odd length packets */
-	err = hermes_bap_pwrite(hw, USER_BAP, p, ALIGN(data_len, 2),
+	err = hermes_bap_pwrite(hw, USER_BAP, p, data_len,
 				txfid, data_off);
 	if (err) {
 		printk(KERN_ERR "%s: Error %d writing packet to BAP\n",
 
CD: 4ms