Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/bsd/wpa/dist/src/ap The length of the WMM Action fr...
details: https://anonhg.NetBSD.org/src/rev/c80d44cd5d66
branches: trunk
changeset: 808219:c80d44cd5d66
user: christos <christos%NetBSD.org@localhost>
date: Sat May 09 19:35:15 2015 +0000
description:
The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.
This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
XXX: pullup-7
diffstat:
external/bsd/wpa/dist/src/ap/wmm.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diffs (13 lines):
diff -r d81167c7b34f -r c80d44cd5d66 external/bsd/wpa/dist/src/ap/wmm.c
--- a/external/bsd/wpa/dist/src/ap/wmm.c Sat May 09 19:33:47 2015 +0000
+++ b/external/bsd/wpa/dist/src/ap/wmm.c Sat May 09 19:35:15 2015 +0000
@@ -274,6 +274,9 @@
return;
}
+ if (left < 0)
+ return; /* not a valid WMM Action frame */
+
/* extract the tspec info element */
if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
Home |
Main Index |
Thread Index |
Old Index