[OE-core] [PATCH] wpa-supplicant: Fix CVE-2015-4142
Burton, Ross
ross.burton at intel.com
Fri Jun 26 15:19:32 UTC 2015
On 26 June 2015 at 09:05, fan.xin <fan.xin at jp.fujitsu.com> wrote:
> +From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
> +From: Jouni Malinen <j at w1.fi>
> +Date: Wed, 29 Apr 2015 02:21:53 +0300
> +Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
> +
> +The length of the WMM Action frame was not properly validated and the
> +length of the information elements (int left) could end up being
> +negative. This would result in reading significantly past the stack
> +buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
> +so, resulting in segmentation fault.
> +
> +This can result in an invalid frame being used for a denial of service
> +attack (hostapd process killed) against an AP with a driver that uses
> +hostapd for management frame processing (e.g., all mac80211-based
> +drivers).
> +
> +Thanks to Kostya Kortchinsky of Google security team for discovering and
> +reporting this issue.
> +
> +Signed-off-by: Jouni Malinen <j at w1.fi>
>
This patch needs an Upstream-Status (backport?) and Signed-off-by in the
patch header.
Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20150626/28c94818/attachment-0002.html>
More information about the Openembedded-core
mailing list