| From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001 |
| From: Jouni Malinen <j@w1.fi> |
| Date: Wed, 29 Apr 2015 02:21:53 +0300 |
| Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser |
| |
| The length of the WMM Action frame was not properly validated and the |
| length of the information elements (int left) could end up being |
| negative. This would result in reading significantly past the stack |
| buffer while parsing the IEs in ieee802_11_parse_elems() and while doing |
| so, resulting in segmentation fault. |
| |
| This can result in an invalid frame being used for a denial of service |
| attack (hostapd process killed) against an AP with a driver that uses |
| hostapd for management frame processing (e.g., all mac80211-based |
| drivers). |
| |
| Thanks to Kostya Kortchinsky of Google security team for discovering and |
| reporting this issue. |
| |
| Signed-off-by: Jouni Malinen <j@w1.fi> |
| Signed-off-by: Baruch Siach <baruch@tkos.co.il> |
| --- |
| src/ap/wmm.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| diff --git a/src/ap/wmm.c b/src/ap/wmm.c |
| index 6d4177c2a847..314e244bc956 100644 |
| --- a/src/ap/wmm.c |
| +++ b/src/ap/wmm.c |
| @@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd, |
| return; |
| } |
| |
| + if (left < 0) |
| + return; /* not a valid WMM Action frame */ |
| + |
| /* extract the tspec info element */ |
| if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) { |
| hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, |
| -- |
| 2.1.4 |
| |