Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | Upstream-Status: Backport |
| 2 | |
| 3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> |
| 4 | |
| 5 | From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001 |
| 6 | From: Jouni Malinen <j@w1.fi> |
| 7 | Date: Wed, 29 Apr 2015 02:21:53 +0300 |
| 8 | Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser |
| 9 | |
| 10 | The length of the WMM Action frame was not properly validated and the |
| 11 | length of the information elements (int left) could end up being |
| 12 | negative. This would result in reading significantly past the stack |
| 13 | buffer while parsing the IEs in ieee802_11_parse_elems() and while doing |
| 14 | so, resulting in segmentation fault. |
| 15 | |
| 16 | This can result in an invalid frame being used for a denial of service |
| 17 | attack (hostapd process killed) against an AP with a driver that uses |
| 18 | hostapd for management frame processing (e.g., all mac80211-based |
| 19 | drivers). |
| 20 | |
| 21 | Thanks to Kostya Kortchinsky of Google security team for discovering and |
| 22 | reporting this issue. |
| 23 | |
| 24 | Signed-off-by: Jouni Malinen <j@w1.fi> |
| 25 | --- |
| 26 | src/ap/wmm.c | 3 +++ |
| 27 | 1 file changed, 3 insertions(+) |
| 28 | |
| 29 | diff --git a/src/ap/wmm.c b/src/ap/wmm.c |
| 30 | index 6d4177c..314e244 100644 |
| 31 | --- a/src/ap/wmm.c |
| 32 | +++ b/src/ap/wmm.c |
| 33 | @@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd, |
| 34 | return; |
| 35 | } |
| 36 | |
| 37 | + if (left < 0) |
| 38 | + return; /* not a valid WMM Action frame */ |
| 39 | + |
| 40 | /* extract the tspec info element */ |
| 41 | if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) { |
| 42 | hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, |
| 43 | -- |
| 44 | 1.9.1 |
| 45 | |