diff options
| author | Jouni Malinen <j@w1.fi> | 2015-04-29 02:21:53 +0300 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2015-05-31 16:05:03 -0700 |
| commit | d63bdf8648712f808ef0484e08cbb3f794c86294 (patch) | |
| tree | ae3088124d3c5fe4684b160fd93adbaeae3eb04e | |
| parent | db9f9857e6dd275fdaf85b03a8061b8054dc9e41 (diff) | |
| download | android_external_wpa_supplicant_8-d63bdf8648712f808ef0484e08cbb3f794c86294.tar.gz android_external_wpa_supplicant_8-d63bdf8648712f808ef0484e08cbb3f794c86294.tar.bz2 android_external_wpa_supplicant_8-d63bdf8648712f808ef0484e08cbb3f794c86294.zip | |
AP WMM: Fix integer underflow in WMM Action frame parser.
The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.
This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
CRs-Fixed: 833592
Git-commit: ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <j@w1.fi>
Change-Id: I833b47fe9d46a71efa8bdefae1e9e75204382fec
| -rw-r--r-- | src/ap/wmm.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/ap/wmm.c b/src/ap/wmm.c index 6d4177c2..314e244b 100644 --- a/src/ap/wmm.c +++ b/src/ap/wmm.c @@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd, return; } + if (left < 0) + return; /* not a valid WMM Action frame */ + /* extract the tspec info element */ if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) { hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, |