|
 |
1dabd5 |
From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
|
|
|
1dabd5 |
From: Jouni Malinen <j@w1.fi>
|
|
|
1dabd5 |
Date: Wed, 29 Apr 2015 02:21:53 +0300
|
|
|
1dabd5 |
Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
|
|
|
1dabd5 |
|
|
|
1dabd5 |
The length of the WMM Action frame was not properly validated and the
|
|
|
1dabd5 |
length of the information elements (int left) could end up being
|
|
|
1dabd5 |
negative. This would result in reading significantly past the stack
|
|
|
1dabd5 |
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
|
|
|
1dabd5 |
so, resulting in segmentation fault.
|
|
|
1dabd5 |
|
|
|
1dabd5 |
This can result in an invalid frame being used for a denial of service
|
|
|
1dabd5 |
attack (hostapd process killed) against an AP with a driver that uses
|
|
|
1dabd5 |
hostapd for management frame processing (e.g., all mac80211-based
|
|
|
1dabd5 |
drivers).
|
|
|
1dabd5 |
|
|
|
1dabd5 |
Thanks to Kostya Kortchinsky of Google security team for discovering and
|
|
|
1dabd5 |
reporting this issue.
|
|
|
1dabd5 |
|
|
|
1dabd5 |
Signed-off-by: Jouni Malinen <j@w1.fi>
|
|
|
1dabd5 |
---
|
|
|
1dabd5 |
src/ap/wmm.c | 3 +++
|
|
|
1dabd5 |
1 file changed, 3 insertions(+)
|
|
|
1dabd5 |
|
|
|
1dabd5 |
diff --git a/src/ap/wmm.c b/src/ap/wmm.c
|
|
|
1dabd5 |
index 6d4177c..314e244 100644
|
|
|
1dabd5 |
--- a/src/ap/wmm.c
|
|
|
1dabd5 |
+++ b/src/ap/wmm.c
|
|
|
1dabd5 |
@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd,
|
|
|
1dabd5 |
return;
|
|
|
1dabd5 |
}
|
|
|
1dabd5 |
|
|
|
1dabd5 |
+ if (left < 0)
|
|
|
1dabd5 |
+ return; /* not a valid WMM Action frame */
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
/* extract the tspec info element */
|
|
|
1dabd5 |
if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
|
|
|
1dabd5 |
hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
|
|
|
1dabd5 |
--
|
|
|
1dabd5 |
1.9.1
|
|
|
1dabd5 |
|