rpms/hostapd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

apply fix for underflow in WMM action frame parser

Browse Source
This commit is contained in:
John W. Linville 2015-05-15 13:53:08 -04:00
parent 109f9abd55
commit e7af6e8134
2 changed files with 48 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
hostapd-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch Normal file
View File

@ -0,0 +1,41 @@
From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Wed, 29 Apr 2015 02:21:53 +0300
Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.
This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/ap/wmm.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/ap/wmm.c b/src/ap/wmm.c
index 6d4177c..314e244 100644
--- a/src/ap/wmm.c
+++ b/src/ap/wmm.c
@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd,
return;
}
+ if (left < 0)
+ return; /* not a valid WMM Action frame */
+
/* extract the tspec info element */
if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
--
1.9.1

8
hostapd.spec
View File

@ -2,7 +2,7 @@
Name: hostapd Name: hostapd
Version: 2.4 Version: 2.4
Release: 1%{?dist} Release: 2%{?dist}
Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
License: BSD License: BSD
URL: http://w1.fi/hostapd URL: http://w1.fi/hostapd
@ -13,6 +13,7 @@ Source2: %{name}.conf
Source3: %{name}.sysconfig Source3: %{name}.sysconfig
Source4: %{name}.init Source4: %{name}.init
Patch0: %{name}-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch Patch0: %{name}-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch
Patch1: %{name}-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
BuildRequires: libnl3-devel BuildRequires: libnl3-devel
BuildRequires: openssl-devel BuildRequires: openssl-devel
@ -54,6 +55,8 @@ Logwatch scripts for hostapd.
# git://w1.fi/srv/git/hostap.git # git://w1.fi/srv/git/hostap.git
# commit 586c446e0ff42ae00315b014924ec669023bd8de # commit 586c446e0ff42ae00315b014924ec669023bd8de
%patch0 -p1 -b .message_length %patch0 -p1 -b .message_length
# commit ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae
%patch1 -p1 -b .wmm_underflow
%build %build
cd hostapd cd hostapd
@ -172,6 +175,9 @@ fi
%{_sysconfdir}/logwatch/scripts/services/%{name} %{_sysconfdir}/logwatch/scripts/services/%{name}
%changelog %changelog
* Fri May 15 2015 John W. Linville <linville@redhat.com> - 2.4-2
- apply fix for underflow in WMM action frame parser
* Tue Apr 21 2015 John W. Linville <linville@redhat.com> - 2.4-1 * Tue Apr 21 2015 John W. Linville <linville@redhat.com> - 2.4-1
- Update to version 2.4 from upstream - Update to version 2.4 from upstream
- Enable support for IEEE802.11r and IEEE802.11ac - Enable support for IEEE802.11r and IEEE802.11ac