DVL 1.5 has now left planning status. Bug Fixing started!


DVL 1.5 has now left planning status. Bug Fixing started! Some new additions: Lazarus IDE, ArgoUML, BlueJ, Firefox Plugins updated. The DVL Wargame makes progresses as well!
 
DVL 1.5 now in planning status


DVL 1.5 has now the status "planning". Beside this we work on the concept for 2008. More information, more training and better videos (those which are 100% related to DVL). Stay tuned!
 
Advertisement





Lost Password?
No account yet? Register

VMWare Player

Get the free VMWare Player!
Damn Vulnerable Linux is prepared to run under VMWare player!

Who's Online

We have 2 guests online

Statistics

Members: 9099
News: 95
Web Links: 0
Visitors: 451474
Kernel - [IEEE80211]: avoid integer underflow for runt rx frames
Written by DVL Team   


Reported by Chris Evans < This e-mail address is being protected from spam bots, you need JavaScript enabled to view it >: The summary is that an evil 80211 frame can crash out a victim's achine. It only applies to drivers using the 80211 wireless code, and nly then to certain drivers (and even then depends on a card's irmware not dropping a dubious packet). I must confess I'm not keeping track of Linux wireless support, and the different protocol stacks etc.

>
> Details are as follows:
>
> ieee80211_rx() does not explicitly check that "skb->len >= hdrlen".
> There are other skb->len checks, but not enough to prevent a subtle
> off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag
> set.
>
> This leads to integer underflow and crash here:
>
> if (frag != 0)
>    flen -= hdrlen;
>
> (flen is subsequently used as a memcpy length parameter).

How about this?

Signed-off-by: John W. Linville < This e-mail address is being protected from spam bots, you need JavaScript enabled to view it >
Signed-off-by: David S. Miller < This e-mail address is being protected from spam bots, you need JavaScript enabled to view it >

net/ieee80211/ieee80211_rx.c   patch | blob | history

diff --git a/net/ieee80211/ieee80211_rx.c b/net/ieee80211/ieee80211_rx.c
index f2de2e4..6284c99 100644 (file)
--- a/net/ieee80211/ieee80211_rx.c
+++ b/net/ieee80211/ieee80211_rx.c
@@ -366,6 +366,12 @@ int ieee80211_rx(struct ieee80211_device *ieee, struct sk_buff *skb,
        frag = WLAN_GET_SEQ_FRAG(sc);
        hdrlen = ieee80211_get_hdrlen(fc);
 
+       if (skb->len < hdrlen) {
+               printk(KERN_INFO "%s: invalid SKB length %d\n",
+                       dev->name, skb->len);
+               goto rx_dropped;
+       }
+
        /* Put this code here so that we avoid duplicating it in all
         * Rx paths. - Jean II */
 #ifdef CONFIG_WIRELESS_EXT

 

DVL Project Tracker

DVL 1.5 (Infectious Desease)

95 %

References

  • IITAC - International Institute (Certification and Training)
  • University of Bielefeld, Germany, Technical Faculty
  • Leibnitz University of Hannover, Germany (Secure Software Development Lecture)
  • University of Applied Sciences and Arts Hannover, Germany (Secure Software Development Lecture)
  • East Tennessee State University, U.S (Ethical Hacking Class)
  • University of the Basque Country, Spain (Computer Security Class)
  • University of Florida, U.S. (Student Infosec Team)
  • Institute Superieur Maritim, Algeria

License

License for Damn Vulnerable Linux distribution

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.

License for training material including all texts, audios and videos

Creative Commons License
This work is licensed under a Creative Commons NonCommercial Sampling Plus 1.0 License.