The following security issue has recently been reported to us. The original reporter wishes to stay anonymous.
There is a vulnerability in packet parsing code whereby a remote attacker can craft a malicious packet that will DoS the system. Due to improper sanitization of nested 802.3 Ethernet frame length fields in Fast Frame packets, the MadWifi driver is vulnerable to a remote kernel denial of service. The problem is that the frame length is read directly from the attackers packet without validation. The attacker can specify a length so that after the skb_pull operation skb1 is less than sizeof(ethernet_header). When skb_pull is called again on skb1 in athff_decap it will return NULL. This results in a NULL dereference later on in the function.
Tests have been made on a SuSE 10.2 32 bit system and after sending the packet, the victim's machine completely locks up and requires a reboot.