The length of the WMM Action frame was not properly validated and the

length of the information elements (int left) could end up being negative. This would result in reading significantly past the stack buffer while parsing the IEs in ieee802_11_parse_elems() and while doing so, resulting in segmentation fault. This can result in an invalid frame being used for a denial of service attack (hostapd process killed) against an AP with a driver that uses hostapd for management frame processing (e.g., all mac80211-based drivers). Thanks to Kostya Kortchinsky of Google security team for discovering and reporting this issue. XXX: pullup-7
2015-05-09 19:35:15 +00:00 · 2015-05-09 19:35:15 +00:00 · c23d0f7f66
parent e4bfca3a3e
commit c23d0f7f66
1 changed files with 3 additions and 0 deletions
--- a/external/bsd/wpa/dist/src/ap/wmm.c
+++ b/external/bsd/wpa/dist/src/ap/wmm.c
@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd,
 		return;
 	}

+	if (left < 0)
+		return; /* not a valid WMM Action frame */
+
 	/* extract the tspec info element */
 	if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,