Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:AndreasSchwab:13.1
wpa_supplicant
0001-AP-WMM-Fix-integer-underflow-in-WMM-Action...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch of Package wpa_supplicant
From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001 From: Jouni Malinen <j@w1.fi> Date: Wed, 29 Apr 2015 02:21:53 +0300 Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser The length of the WMM Action frame was not properly validated and the length of the information elements (int left) could end up being negative. This would result in reading significantly past the stack buffer while parsing the IEs in ieee802_11_parse_elems() and while doing so, resulting in segmentation fault. This can result in an invalid frame being used for a denial of service attack (hostapd process killed) against an AP with a driver that uses hostapd for management frame processing (e.g., all mac80211-based drivers). Thanks to Kostya Kortchinsky of Google security team for discovering and reporting this issue. Signed-off-by: Jouni Malinen <j@w1.fi> --- src/ap/wmm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/ap/wmm.c b/src/ap/wmm.c index 6d4177c..314e244 100644 --- a/src/ap/wmm.c +++ b/src/ap/wmm.c @@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd, return; } + if (left < 0) + return; /* not a valid WMM Action frame */ + /* extract the tspec info element */ if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) { hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, -- 1.9.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor