The following security issue has recently been reported to us. The original reporter wishes to stay anonymous.
A restricted local user can make an unprivileged I/O control call to the driver's ieee80211_ioctl_getwmmparams. This function accepts an array index from the user, which is validated incorrectly. The function checks that the index supplied by the user is less than a maximum value, but does not check if the index is less than 0. A local attacker can specify a large negative number which will pass the check, and cause an error in the array dereference.
On SuSE 10.2 32 bit, various components that relied on the networking system stopped functioning. The GUI appeared to still be usable. It also appears that a crafty attacker can use smaller negative values and enumerate portions of kernel memory
because the value of the memory at the array deference is returned to
the caller. However, this has not been verified by the reporter.