-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Matteo Rosi wrote:
| Package: Hostapd
| Version: 0.3.7-2
| Severity: critical
| Tags: security, patch, sarge
|
| Description:
| An invalid value, in a field of EAPoL frame, causes a segmantation fault
| error in hostapd deamon.
|
| We found it using Stress: a software for protocol implementation testing
| and security testing, you can find it at
|
| http://lart.det.unifi.it/Members/rosi/stress
Thanks for the detailed report.
Security team, please advise and/or upload. I believe the severity is
inflated, as this is just a DoS on the program, but I'm leaving it to
you to lower it.
Attached is a patch doing exactly what Matteo said, copied from upstream
and compile tested.
The version in sid/etch (0.5.0-1) is unaffected by this issue.
Regards,
Faidon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEWQNsVty5d8XpUzMRAo8eAJ4kO2KQyGrNq5/R61hPojr72eV8lwCeI/e4
Eb1KKoaCKxSB7zL27FvY/XM=
=T51f
-----END PGP SIGNATURE-----
--- hostapd-0.3.7/wpa.c~ 2005-01-24 05:36:45.000000000 +0200
+++ hostapd-0.3.7/wpa.c 2005-12-18 01:02:03.000000000 +0200
@@ -1414,6 +1642,14 @@
key = (struct wpa_eapol_key *) (hdr + 1);
key_info = ntohs(key->key_info);
key_data_length = ntohs(key->key_data_length);
+ if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) {
+ wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
+ "key_data overflow (%d > %lu)",
+ key_data_length,
+ (unsigned long) (data_len - sizeof(*hdr) -
+ sizeof(*key)));
+ return;
+ }
/* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
* are set */
