Bug#365897: seg fault error in hostapd
notfound 365897 0.3.7-2 found 365897 1:0.3.7-2 close 365897 1:0.3.7-2sarge1 close 365897 1:0.5.0-1 thanks The bug is fixed both in stable (by version 1:0.3.7-2sarge1) and in etch/unstable. Regards, Faidon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#365897: seg fault error in hostapd
Faidon Liambotis wrote: Hi, Matteo Rosi wrote: | Package: Hostapd | Version: 0.3.7-2 | Severity: critical | Tags: security, patch, sarge Security team, please advise and/or upload. I believe the severity is inflated, as this is just a DoS on the program, but I'm leaving it to you to lower it. we didn't have time to investigate it further but the problem seems to be related to an unchecked buffer length, so even if now it only causes a segfault, it might also cause worse consequences. regards, Matteo Rosi, Leonardo Maccari -- Telecommunication Network Lab, Department of Electronics and Telecommunications, University of Florence http://lart.det.unifi.it/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#365897: seg fault error in hostapd
Package: Hostapd
Version: 0.3.7-2
Severity: critical
Tags: security, patch, sarge
Description:
An invalid value, in a field of EAPoL frame, causes a segmantation fault
error in hostapd deamon.
We found it using Stress: a software for protocol implementation testing
and security testing, you can find it at
http://lart.det.unifi.it/Members/rosi/stress
We find the error in wpa.c file, line 1416:
key_data_length = ntohs(key-key_data_length);
for correct it we can take the patch made by Maulinen in revision
1.71.2.1 in cvs system:
key_data_length = ntohs(key-key_data_length);
if (key_data_length data_len - sizeof(*hdr) - sizeof(*key)) {
wpa_printf(MSG_INFO, WPA: Invalid EAPOL-Key frame -
key_data overflow (%d %d),
key_data_length,
data_len - sizeof(*hdr) - sizeof(*key));
return;
}
regards,
Matteo Rosi, Leonardo Maccari
--
Telecommunication Network Lab,
Department of Electronics and Telecommunications, University of Florence
http://lart.det.unifi.it/
Bug#365897: seg fault error in hostapd
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Matteo Rosi wrote:
| Package: Hostapd
| Version: 0.3.7-2
| Severity: critical
| Tags: security, patch, sarge
|
| Description:
| An invalid value, in a field of EAPoL frame, causes a segmantation fault
| error in hostapd deamon.
|
| We found it using Stress: a software for protocol implementation testing
| and security testing, you can find it at
|
| http://lart.det.unifi.it/Members/rosi/stress
Thanks for the detailed report.
Security team, please advise and/or upload. I believe the severity is
inflated, as this is just a DoS on the program, but I'm leaving it to
you to lower it.
Attached is a patch doing exactly what Matteo said, copied from upstream
and compile tested.
The version in sid/etch (0.5.0-1) is unaffected by this issue.
Regards,
Faidon
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEWQNsVty5d8XpUzMRAo8eAJ4kO2KQyGrNq5/R61hPojr72eV8lwCeI/e4
Eb1KKoaCKxSB7zL27FvY/XM=
=T51f
-END PGP SIGNATURE-
--- hostapd-0.3.7/wpa.c~ 2005-01-24 05:36:45.0 +0200
+++ hostapd-0.3.7/wpa.c 2005-12-18 01:02:03.0 +0200
@@ -1414,6 +1642,14 @@
key = (struct wpa_eapol_key *) (hdr + 1);
key_info = ntohs(key-key_info);
key_data_length = ntohs(key-key_data_length);
+ if (key_data_length data_len - sizeof(*hdr) - sizeof(*key)) {
+ wpa_printf(MSG_INFO, WPA: Invalid EAPOL-Key frame -
+ key_data overflow (%d %lu),
+ key_data_length,
+ (unsigned long) (data_len - sizeof(*hdr) -
+ sizeof(*key)));
+ return;
+ }
/* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
* are set */
