hostapd: fix remote denial of service vulnerability in WMM action frame parsing
Signed-off-by: Felix Fietkau <nbd@openwrt.org> Backport of r45619 git-svn-id: svn://svn.openwrt.org/openwrt/branches/barrier_breaker@45620 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
parent
229d60fdb4
commit
179bab8b17
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=hostapd
|
PKG_NAME:=hostapd
|
||||||
PKG_VERSION:=2014-06-03.1
|
PKG_VERSION:=2014-06-03.1
|
||||||
PKG_RELEASE:=1
|
PKG_RELEASE:=2
|
||||||
PKG_REV:=84df167554569af8c87f0a8ac1fb508192417d8e
|
PKG_REV:=84df167554569af8c87f0a8ac1fb508192417d8e
|
||||||
|
|
||||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
||||||
|
|
|
@ -0,0 +1,36 @@
|
||||||
|
From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jouni Malinen <j@w1.fi>
|
||||||
|
Date: Wed, 29 Apr 2015 02:21:53 +0300
|
||||||
|
Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
|
||||||
|
|
||||||
|
The length of the WMM Action frame was not properly validated and the
|
||||||
|
length of the information elements (int left) could end up being
|
||||||
|
negative. This would result in reading significantly past the stack
|
||||||
|
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
|
||||||
|
so, resulting in segmentation fault.
|
||||||
|
|
||||||
|
This can result in an invalid frame being used for a denial of service
|
||||||
|
attack (hostapd process killed) against an AP with a driver that uses
|
||||||
|
hostapd for management frame processing (e.g., all mac80211-based
|
||||||
|
drivers).
|
||||||
|
|
||||||
|
Thanks to Kostya Kortchinsky of Google security team for discovering and
|
||||||
|
reporting this issue.
|
||||||
|
|
||||||
|
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||||
|
---
|
||||||
|
src/ap/wmm.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
--- a/src/ap/wmm.c
|
||||||
|
+++ b/src/ap/wmm.c
|
||||||
|
@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_d
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (left < 0)
|
||||||
|
+ return; /* not a valid WMM Action frame */
|
||||||
|
+
|
||||||
|
/* extract the tspec info element */
|
||||||
|
if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
|
||||||
|
hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
|
Loading…
Reference in New Issue