Description of problem:
From: Johannes Berg <johannes>
If somebody sends an invalid beacon/probe response, that can trash the whole BSS descriptor. The descriptor is, luckily, large enough so that it cannot scribble past the end of it; it's well above 400 bytes long.
Proposed upstream patch:
The driver was included in the upstream kernel since 2.6.22. We did not backport it to our RHEL kernels.
Our official statement can be found at:
This issue has been addressed in following products:
Red Hat Enterprise MRG v1 for Red Hat Enterprise Linux (version 5)
Via RHSA-2009:0053 available at https://rhn.redhat.com/errata/RHSA-2009-0053.html