apply fix for underflow in WMM action frame parser
This commit is contained in:
John W. Linville
parent
109f9abd55
commit
e7af6e8134
@ -0,0 +1,41 @@
|
||||
From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <j@w1.fi>
|
||||
Date: Wed, 29 Apr 2015 02:21:53 +0300
|
||||
Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
|
||||
|
||||
The length of the WMM Action frame was not properly validated and the
|
||||
length of the information elements (int left) could end up being
|
||||
negative. This would result in reading significantly past the stack
|
||||
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
|
||||
so, resulting in segmentation fault.
|
||||
|
||||
This can result in an invalid frame being used for a denial of service
|
||||
attack (hostapd process killed) against an AP with a driver that uses
|
||||
hostapd for management frame processing (e.g., all mac80211-based
|
||||
drivers).
|
||||
|
||||
Thanks to Kostya Kortchinsky of Google security team for discovering and
|
||||
reporting this issue.
|
||||
|
||||
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||
---
|
||||
src/ap/wmm.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/ap/wmm.c b/src/ap/wmm.c
|
||||
index 6d4177c..314e244 100644
|
||||
--- a/src/ap/wmm.c
|
||||
+++ b/src/ap/wmm.c
|
||||
@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd,
|
||||
return;
|
||||
}
|
||||
|
||||
+ if (left < 0)
|
||||
+ return; /* not a valid WMM Action frame */
|
||||
+
|
||||
/* extract the tspec info element */
|
||||
if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
|
||||
hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
|
||||
--
|
||||
1.9.1
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
Name: hostapd
|
||||
Version: 2.4
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
|
||||
License: BSD
|
||||
URL: http://w1.fi/hostapd
|
||||
@ -13,6 +13,7 @@ Source2: %{name}.conf
|
||||
Source3: %{name}.sysconfig
|
||||
Source4: %{name}.init
|
||||
Patch0: %{name}-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch
|
||||
Patch1: %{name}-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
|
||||
|
||||
BuildRequires: libnl3-devel
|
||||
BuildRequires: openssl-devel
|
||||
@ -54,6 +55,8 @@ Logwatch scripts for hostapd.
|
||||
# git://w1.fi/srv/git/hostap.git
|
||||
# commit 586c446e0ff42ae00315b014924ec669023bd8de
|
||||
%patch0 -p1 -b .message_length
|
||||
# commit ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae
|
||||
%patch1 -p1 -b .wmm_underflow
|
||||
|
||||
%build
|
||||
cd hostapd
|
||||
@ -172,6 +175,9 @@ fi
|
||||
%{_sysconfdir}/logwatch/scripts/services/%{name}
|
||||
|
||||
%changelog
|
||||
* Fri May 15 2015 John W. Linville <linville@redhat.com> - 2.4-2
|
||||
- apply fix for underflow in WMM action frame parser
|
||||
|
||||
* Tue Apr 21 2015 John W. Linville <linville@redhat.com> - 2.4-1
|
||||
- Update to version 2.4 from upstream
|
||||
- Enable support for IEEE802.11r and IEEE802.11ac
|
||||
|
||||
Loading…
Reference in New Issue
Block a user