linville pushed to hostapd (el6). "apply fix for underflow in WMM action frame parser"
notifications at fedoraproject.org
notifications at fedoraproject.org
Fri May 15 18:59:18 UTC 2015
From 7c2fc7535b266f394169b69a3a41762e5f831d37 Mon Sep 17 00:00:00 2001
From: "John W. Linville" <linville at tuxdriver.com>
Date: Fri, 15 May 2015 14:59:01 -0400
Subject: apply fix for underflow in WMM action frame parser
diff --git a/hostapd-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch b/hostapd-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
new file mode 100644
index 0000000..79c5af8
--- /dev/null
+++ b/hostapd-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
@@ -0,0 +1,41 @@
+From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j at w1.fi>
+Date: Wed, 29 Apr 2015 02:21:53 +0300
+Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
+
+The length of the WMM Action frame was not properly validated and the
+length of the information elements (int left) could end up being
+negative. This would result in reading significantly past the stack
+buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
+so, resulting in segmentation fault.
+
+This can result in an invalid frame being used for a denial of service
+attack (hostapd process killed) against an AP with a driver that uses
+hostapd for management frame processing (e.g., all mac80211-based
+drivers).
+
+Thanks to Kostya Kortchinsky of Google security team for discovering and
+reporting this issue.
+
+Signed-off-by: Jouni Malinen <j at w1.fi>
+---
+ src/ap/wmm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/ap/wmm.c b/src/ap/wmm.c
+index 6d4177c..314e244 100644
+--- a/src/ap/wmm.c
++++ b/src/ap/wmm.c
+@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd,
+ return;
+ }
+
++ if (left < 0)
++ return; /* not a valid WMM Action frame */
++
+ /* extract the tspec info element */
+ if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
+ hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
+--
+1.9.1
+
diff --git a/hostapd.spec b/hostapd.spec
index d336a04..c62d68b 100644
--- a/hostapd.spec
+++ b/hostapd.spec
@@ -2,7 +2,7 @@
Name: hostapd
Version: 2.0
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
License: BSD
URL: http://w1.fi/hostapd
@@ -16,6 +16,7 @@ Patch0: %{name}-RPM_OPT_FLAGS.patch
Patch1: %{name}-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch
Patch2: %{name}-Add-os_exec-helper-to-run-external-programs.patch
Patch3: %{name}-hostapd_cli-Use-os_exec-for-action-script-execution.patch
+Patch4: %{name}-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
BuildRequires: libnl-devel >= 1.1
@@ -67,6 +68,10 @@ Logwatch scripts for hostapd.
%patch2 -p1
%patch3 -p1
+# git://w1.fi/srv/git/hostap.git
+# commit ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae
+%patch4 -p1 -b .wmm_underflow
+
# Prepare default config file
cat %{SOURCE2} | sed -e 's/HOSTAPD_VERSION/'%{version}'/' > %{name}.conf
@@ -178,6 +183,9 @@ fi
%{_sysconfdir}/logwatch/scripts/services/%{name}
%changelog
+* Fri May 15 2015 John W. Linville <linville at redhat.com> - 2.0-6
+- apply fix for underflow in WMM action frame parser
+
* Thu Oct 23 2014 John W. Linville <linville at redhat.com> - 2.0-5
- Apply fixes for CVE-2014-3686
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/hostapd.git/commit/?h=el6&id=7c2fc7535b266f394169b69a3a41762e5f831d37
More information about the scm-commits
mailing list