Dear Ben, Thanks. IE_CF_PARM EID_STRUCT Octet data structure in "mlme.h" will change to unsigned char too.
-----Original Message----- From: Ben Hutchings [mailto:b...@decadent.org.uk] Sent: Monday, January 26, 2009 2:34 AM To: 513...@bugs.debian.org Cc: rt2400-de...@lists.sourceforge.net; Dennis Lee; Eddy Tsai Subject: Re: Possible security flaw in ad-hoc probe request processing On Sun, 2009-01-25 at 16:21 +0000, Ben Hutchings wrote: [...] > Ralink's Linux drivers are based on their Windows drivers and the > following code in PeerProbeReqSanity() in the source file sanity.c > appears to have exactly this flaw: > > if ((pFrame->Octet[0] != IE_SSID) || (pFrame->Octet[1] > MAX_LEN_OF_SSID)) > { > DBGPRINT(RT_DEBUG_TRACE, "PeerProbeReqSanity fail - wrong SSID > IE(Type=%d,Len=%d)\n",pFrame->Octet[0],pFrame->Octet[1]); > return FALSE; > } > > *pSsidLen = pFrame->Octet[1]; > memcpy(Ssid, &pFrame->Octet[2], *pSsidLen); > > pFrame->Octet is an array of signed char and MAX_LEN_OF_SSID expands > to a decimal literal which will have type int. Therefore unsigned > values in the range [128, 255] will be treated as values in the range > [-128, -1] and will pass the test. > > Similar code exists in the rt2400, rt2500, rt2570, rt61 and rt2860 > drivers. In the rt2860 driver pFrame->Octet is an array of unsigned char and so the code appears to be correct. There is a similar bug in the handling of IE_CF_PARM (also found in rt73). However I don't think it allows code injection, and it might not be a security problem at all. My proposed patch is: --- rt2860-source-1.8.0.0.orig/common/cmm_sanity.c +++ rt2860-source-1.8.0.0/common/cmm_sanity.c @@ -517,8 +517,8 @@ pCfParm->bValid = TRUE; pCfParm->CfpCount = pEid->Octet[0]; pCfParm->CfpPeriod = pEid->Octet[1]; - pCfParm->CfpMaxDuration = pEid->Octet[2] + 256 * pEid->Octet[3]; - pCfParm->CfpDurRemaining = pEid->Octet[4] + 256 * pEid->Octet[5]; + pCfParm->CfpMaxDuration = (UCHAR)pEid->Octet[2] + 256 * (UCHAR)pEid->Octet[3]; + pCfParm->CfpDurRemaining = (UCHAR)pEid->Octet[4] + 256 * (UCHAR)pEid->Octet[5]; } else { --- END --- Ben. CONFIDENTIALITY STATEMENT : The information, attachments and any rights attaching in this e-mail are confidential and privileged; it is intended only for the individual or entity named as the recipient hereof.Any disclosure, copying, distribution, dissemination or use of the contents of this e-mail by persons other than the intended recipient is STRICTLY PROHIBITED and may violate applicable laws.If you have received this e-mail in error, please delete the original message and notify us by return email or collect call immediately. Thank you. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
