[kernel/f14] CVE-2011-2517: nl80211: missing check for valid SSID size in scan operations

Tue Aug 16 03:26:41 UTC 2011

commit 8ba25ec095026f5ba0e7bb64a242b826b196ab81
Author: Chuck Ebbert <cebbert at redhat.com>
Date:   Mon Aug 15 23:26:22 2011 -0400

    CVE-2011-2517: nl80211: missing check for valid SSID size in scan operations

 kernel.spec                                  |    9 ++++-
 nl80211-fix-overflow-in-ssid_len.patch.patch |   44 ++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 2 deletions(-)
---

diff --git a/kernel.spec b/kernel.spec
index ec6671f..4256093 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -48,7 +48,7 @@ Summary: The Linux kernel
 # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
 # scripts/rebase.sh should be made to do that for you, actually.
 #
-%global baserelease 94
+%global baserelease 95
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -842,6 +842,8 @@ Patch14010: perf-tools-do-not-look-at-config-for-configuration.patch
 Patch14011: ext4-fix-max-file-size-and-logical-block-counting-of-extent-format-file.patch
 # CVE-2011-2497
 Patch14012: bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
+# CVE-2011-2517
+Patch14013: nl80211-fix-overflow-in-ssid_len.patch.patch
 
 %endif
 
@@ -1584,6 +1586,8 @@ ApplyPatch perf-tools-do-not-look-at-config-for-configuration.patch
 ApplyPatch ext4-fix-max-file-size-and-logical-block-counting-of-extent-format-file.patch
 # CVE-2011-2497
 ApplyPatch bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
+# CVE-2011-2517
+ApplyPatch nl80211-fix-overflow-in-ssid_len.patch.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -2171,10 +2175,11 @@ fi
 # and build.
 
 %changelog
-* Mon Aug 15 2011 Chuck Ebbert <cebbert at redhat.com>
+* Mon Aug 15 2011 Chuck Ebbert <cebbert at redhat.com> 2.6.35.14-95
 - CVE-2011-2905: perf tools: may parse user-controlled configuration file
 - CVE-2011-2695: ext4: kernel panic when writing data to the last block of sparse file
 - CVE-2011-2497: bluetooth: buffer overflow in l2cap config request
+- CVE-2011-2517: nl80211: missing check for valid SSID size in scan operations
 
 * Wed Aug 03 2011 Chuck Ebbert <cebbert at redhat.com> 2.6.35.14-94
 - Linux 2.6.35.14
diff --git a/nl80211-fix-overflow-in-ssid_len.patch.patch b/nl80211-fix-overflow-in-ssid_len.patch.patch
new file mode 100644
index 0000000..caab2b7
--- /dev/null
+++ b/nl80211-fix-overflow-in-ssid_len.patch.patch
@@ -0,0 +1,44 @@
+From: Luciano Coelho <coelho at ti.com>
+Date: Tue, 7 Jun 2011 17:42:26 +0000 (+0300)
+Subject: nl80211: fix overflow in ssid_len
+X-Git-Tag: v3.0-rc4~5^2~13^2~6
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=57a27e1d6a3bb9ad4efeebd3a8c71156d6207536
+
+nl80211: fix overflow in ssid_len
+[ 2.6.35 backport ]
+
+When one of the SSID's length passed in a scan or sched_scan request
+is larger than 255, there will be an overflow in the u8 that is used
+to store the length before checking.  This causes the check to fail
+and we overrun the buffer when copying the SSID.
+
+Fix this by checking the nl80211 attribute length before copying it to
+the struct.
+
+This is a follow up for the previous commit
+208c72f4fe44fe09577e7975ba0e7fa0278f3d03, which didn't fix the problem
+entirely.
+
+Reported-by: Ido Yariv <ido at wizery.com>
+Signed-off-by: Luciano Coelho <coelho at ti.com>
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+---
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 88a565f..98fa8eb 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3179,11 +3179,11 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
+ 	i = 0;
+ 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
+ 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
+-			request->ssids[i].ssid_len = nla_len(attr);
+-			if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
++			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
+ 				err = -EINVAL;
+ 				goto out_free;
+ 			}
++			request->ssids[i].ssid_len = nla_len(attr);
+ 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
+ 			i++;
+ 		}
