[Lucid][CVE-2013-7027] wireless: radiotap: fix parsing buffer overrun

[Luis Henriques]

From: Johannes Berg <johannes.berg at intel.com>

CVE-2013-7027
BugLink: http://bugs.launchpad.net/bugs/1260622

When parsing an invalid radiotap header, the parser can overrun
the buffer that is passed in because it doesn't correctly check
 1) the minimum radiotap header size
 2) the space for extended bitmaps

The first issue doesn't affect any in-kernel user as they all
check the minimum size before calling the radiotap function.
The second issue could potentially affect the kernel if an skb
is passed in that consists only of the radiotap header with a
lot of extended bitmaps that extend past the SKB. In that case
a read-only buffer overrun by at most 4 bytes is possible.

Fix this by adding the appropriate checks to the parser.

Cc: stable at vger.kernel.org
Reported-by: Evan Huus <eapache at gmail.com>
Signed-off-by: Johannes Berg <johannes.berg at intel.com>
(back ported from commit f5563318ff1bde15b10e736e97ffce13be08bc1a)
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 net/wireless/radiotap.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/wireless/radiotap.c b/net/wireless/radiotap.c
index f591871..4c4c8bd 100644
--- a/net/wireless/radiotap.c
+++ b/net/wireless/radiotap.c
@@ -54,6 +54,10 @@ int ieee80211_radiotap_iterator_init(
     struct ieee80211_radiotap_header *radiotap_header,
     int max_length)
 {
+	/* check the radiotap header can actually be present */
+	if (max_length < sizeof(struct ieee80211_radiotap_header))
+		return -EINVAL;
+
 	/* Linux only supports version 0 radiotap format */
 	if (radiotap_header->it_version)
 		return -EINVAL;
@@ -83,7 +87,8 @@ int ieee80211_radiotap_iterator_init(
 			 */
 
 			if (((ulong)iterator->arg -
-			     (ulong)iterator->rtheader) > iterator->max_length)
+			     (ulong)iterator->rtheader +
+			     sizeof(uint32_t)) > iterator->max_length)
 				return -EINVAL;
 		}
 
-- 
1.8.3.2