bc4d60fcc18c165e11e3a322bc064b6b18eaffed
[openwrt/staging/robimarko.git] /
1 From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <j@w1.fi>
3 Date: Wed, 29 Apr 2015 02:21:53 +0300
4 Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
5
6 The length of the WMM Action frame was not properly validated and the
7 length of the information elements (int left) could end up being
8 negative. This would result in reading significantly past the stack
9 buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
10 so, resulting in segmentation fault.
11
12 This can result in an invalid frame being used for a denial of service
13 attack (hostapd process killed) against an AP with a driver that uses
14 hostapd for management frame processing (e.g., all mac80211-based
15 drivers).
16
17 Thanks to Kostya Kortchinsky of Google security team for discovering and
18 reporting this issue.
19
20 Signed-off-by: Jouni Malinen <j@w1.fi>
21 ---
22 src/ap/wmm.c | 3 +++
23 1 file changed, 3 insertions(+)
24
25 --- a/src/ap/wmm.c
26 +++ b/src/ap/wmm.c
27 @@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_d
28 return;
29 }
30
31 + if (left < 0)
32 + return; /* not a valid WMM Action frame */
33 +
34 /* extract the tspec info element */
35 if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
36 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,