CVS commit: src/external/bsd/wpa/dist/src/ap

To: source-changes%NetBSD.org@localhost
Subject: CVS commit: src/external/bsd/wpa/dist/src/ap
From: "Christos Zoulas" <christos%netbsd.org@localhost>
Date: Sat, 9 May 2015 15:35:15 -0400

Module Name:    src
Committed By:   christos
Date:           Sat May  9 19:35:15 UTC 2015

Modified Files:
        src/external/bsd/wpa/dist/src/ap: wmm.c

Log Message:
The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.

This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

XXX: pullup-7


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.4 -r1.2 src/external/bsd/wpa/dist/src/ap/wmm.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: src/external/bsd/wpa/dist/src/wps
Next by Date: CVS commit: src/external/bsd/wpa/dist/src/eap_peer
Previous by Thread: CVS commit: src/external/bsd/wpa/dist/src/wps
Next by Thread: CVS commit: src/external/bsd/wpa/dist/src/eap_peer
Indexes:

Home | Main Index | Thread Index | Old Index