hostapd: fix remote denial of service vulnerability in WMM action frame parsing

Signed-off-by: Felix Fietkau <>

Backport of r45619

git-svn-id: svn:// 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
nbd 2015-05-06 09:47:05 +00:00
parent 229d60fdb4
commit 179bab8b17
2 changed files with 37 additions and 1 deletions

View File

@ -9,7 +9,7 @@ include $(TOPDIR)/

View File

@ -0,0 +1,36 @@
From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
From: Jouni Malinen <>
Date: Wed, 29 Apr 2015 02:21:53 +0300
Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.
This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Signed-off-by: Jouni Malinen <>
src/ap/wmm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/src/ap/wmm.c
+++ b/src/ap/wmm.c
@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_d
+ if (left < 0)
+ return; /* not a valid WMM Action frame */
/* extract the tspec info element */
if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,