English Language flag
// Log In
// CVSweb
Project: FreeWRT
// Summary // Activity // Search // Tracker // Lists // News // SCM // Wiki
// Access Source Code // Browse Source Code

SCM Repository

project home | /[freewrt]/branches/freewrt_1_0/package/madwifi/patches/patch-net80211_ieee80211_input_c
ViewVC logotype

Contents of /branches/freewrt_1_0/package/madwifi/patches/patch-net80211_ieee80211_input_c

Parent Directory Parent Directory | Revision Log Revision Log

Revision 2951 - (show annotations) (download)
Tue Jun 26 19:20:08 2007 UTC (6 years, 8 months ago) by tha
File size: 3740 byte(s) 
Madwifi (fixing bug: #155):
 - downgraded to 0.9.2.1, because in 0.9.3.x the madwifi kernel module
   oopses in monitor mode.
 - applied debian's security fixed for 0.9.2.1, because every 
   unpatched version before 0.9.3.1 is vulnerable to three knows security
   issues (see madwifi.org).
 - converted four manual patches to the freewrt patch format
 - thx to shorty for sending a one-liner fix in the Makefile for 0.9.2.1

Aiccu (fixing a bug reported via the xen-users ml by Frank Matthiess):
 - merged fix from trunk rev #2881 for fixing a bug regarding a broken
   IP Header in the aiccu packets.

Broadcom-wl-util (fixing bug: #334):
 - qouted the wpa password in the if-<pre>up.d scripts.
   hopefully this fixes this bug. Until now I only checked that it 
   doesn't brake something that was already working before.

Freeradius (fixing bug: #321):
 - the init.d script now exports the correct library path before radiusd
   is started. otherwise the daemon fails in certain setups because some
   libraries cannot be found. thx to tg for this fix.

License:
 - updated the license file to refelect the current developer team.
   the names and the alphabetic order has been "stolen" by me from
   http://www.freewrt.org/trac/wiki/Development/Developers
1 $FreeWRT$
2 --- madwifi-0.9.2.1.orig/net80211/ieee80211_input.c 2006-07-06 05:23:08.000000000 +0200
3 +++ madwifi-0.9.2.1/net80211/ieee80211_input.c 2007-06-26 18:54:01.000000000 +0200
4 @@ -699,13 +699,31 @@ ieee80211_input(struct ieee80211_node *n
5
6 /* NB: assumes linear (i.e., non-fragmented) skb */
7
8 + /* check length > header */
9 + if (skb->len < sizeof(struct ether_header) + LLC_SNAPFRAMELEN
10 + + roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2) {
11 + IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
12 + ni->ni_macaddr, "data", "%s", "decap error");
13 + vap->iv_stats.is_rx_decap++;
14 + IEEE80211_NODE_STAT(ni, rx_decap);
15 + goto err;
16 + }
17 +
18 /* get to the tunneled headers */
19 ath_hdr = (struct athl2p_tunnel_hdr *)
20 skb_pull(skb, sizeof(struct ether_header) + LLC_SNAPFRAMELEN);
21 - /* ignore invalid frames */
22 - if(ath_hdr == NULL)
23 + eh_tmp = (struct ether_header *)
24 + skb_pull(skb, roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2);
25 + /* sanity check for malformed 802.3 length */
26 + frame_len = ntohs(eh_tmp->ether_type);
27 + if (skb->len < roundup(sizeof(struct ether_header) + frame_len, 4)) {
28 + IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
29 + ni->ni_macaddr, "data", "%s", "decap error");
30 + vap->iv_stats.is_rx_decap++;
31 + IEEE80211_NODE_STAT(ni, rx_decap);
32 goto err;
33 -
34 + }
35 +
36 /* only implementing FF now. drop all others. */
37 if (ath_hdr->proto != ATH_L2TUNNEL_PROTO_FF) {
38 IEEE80211_DISCARD_MAC(vap,
39 @@ -718,14 +736,7 @@ ieee80211_input(struct ieee80211_node *n
40 }
41 vap->iv_stats.is_rx_ffcnt++;
42
43 - /* move past the tunneled header, with alignment */
44 - skb_pull(skb, roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2);
45 -
46 skb1 = skb_clone(skb, GFP_ATOMIC); /* XXX: GFP_ATOMIC is overkill? */
47 - eh_tmp = (struct ether_header *)skb->data;
48 -
49 - /* ether_type must be length*/
50 - frame_len = ntohs(eh_tmp->ether_type);
51
52 /* we now have 802.3 MAC hdr followed by 802.2 LLC/SNAP. convert to DIX */
53 athff_decap(skb);
54 @@ -735,8 +746,6 @@ ieee80211_input(struct ieee80211_node *n
55
56 /* prepare second tunneled frame */
57 skb_pull(skb1, roundup(sizeof(struct ether_header) + frame_len, 4));
58 - eh_tmp = (struct ether_header *)skb1->data;
59 - frame_len = ntohs(eh_tmp->ether_type);
60 athff_decap(skb1);
61
62 /* deliver the frames */
63 @@ -2529,7 +2538,20 @@ ieee80211_recv_mgmt(struct ieee80211_nod
64 vap->iv_stats.is_rx_chanmismatch++;
65 return;
66 }
67 -
68 +
69 + /* IEEE802.11 does not specify the allowed range for
70 + * beacon interval. We discard any beacons with a
71 + * beacon interval outside of an arbitrary range in
72 + * order to protect against attack.
73 + */
74 + if (!(IEEE80211_BINTVAL_MIN <= scan.bintval &&
75 + scan.bintval <= IEEE80211_BINTVAL_MAX)) {
76 + IEEE80211_DISCARD(vap, IEEE80211_MSG_SCAN,
77 + wh, "beacon", "invalid beacon interval (%u)",
78 + scan.bintval);
79 + return;
80 + }
81 +
82 /*
83 * Count frame now that we know it's to be processed.
84 */
85 @@ -2659,7 +2681,7 @@ ieee80211_recv_mgmt(struct ieee80211_nod
86 IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
87 memcpy(ni->ni_tstamp.data, scan.tstamp,
88 sizeof(ni->ni_tstamp));
89 - ni->ni_intval = scan.bintval;
90 + ni->ni_intval = IEEE80211_BINTVAL_SANITISE(scan.bintval);
91 ni->ni_capinfo = scan.capinfo;
92 ni->ni_chan = ic->ic_curchan;
93 ni->ni_fhdwell = scan.fhdwell;
94 @@ -3082,7 +3104,7 @@ ieee80211_recv_mgmt(struct ieee80211_nod
95 ni->ni_rssi = rssi;
96 ni->ni_rstamp = rstamp;
97 ni->ni_last_rx = jiffies;
98 - ni->ni_intval = bintval;
99 + ni->ni_intval = IEEE80211_BINTVAL_SANITISE(bintval);
100 ni->ni_capinfo = capinfo;
101 ni->ni_chan = ic->ic_curchan;
102 ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
root@freewrt.org:443
 ViewVC Help
Powered by ViewVC 1.1.20