wpa_supplicant Key Data Length Missing Validation Lets Remote Users Crash the Service
|
|
SecurityTracker Alert ID: 1013226
|
|
SecurityTracker URL: http://securitytracker.com/id?1013226
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 17 2005
|
Impact: Denial of service via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 0.2.7 and 0.3.8
|
Description: A vulnerability was reported in wpa_supplicant in the processing of WPA2 frames. A remote user can cause denial of service conditions.
The software does not properly validate the Key Data Length in received EAPOL-Key frames. A remote user can send a specially crafted
packet to trigger a buffer overflow and cause wpa_supplicant to crash.
If WPA2 is enabled, a remote user can send a specially
crafted EAPOL-Key frame (message 1 of 4-Way Handshake) to trigger the buffer overflow. If WPA2 is not enabled, a remote authenticated
user can send specially crafted frames (message 3 of 4-Way Handshake) to trigger the overflow.
The vulnerability resides in 'wpa.c'.
|
Impact: A remote user can cause the target service to crash.
|
Solution: The vendor has released fixed versions (0.3.8 and 0.2.7), available at:
http://hostap.epitest.fi/wpa_supplicant/
|
Vendor URL: hostap.epitest.fi/wpa_supplicant/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any)
|
Reported By: Jouni Malinen <jkmaline@cc.hut.fi>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Sun Feb 13 18:35:31 MST 2005
From: Jouni Malinen <jkmaline@cc.hut.fi>
Subject: wpa_supplicant - new stable releases v0.3.8 and v0.2.7
|
New versions of wpa_supplicant stable branches were just released and
are now available from http://hostap.epitest.fi/
This release is a bug fix release for all current stable branches. A
missing validation of received EAPOL-Key frames was found during code
review. This omission makes it possible to construct a packet that
will cause wpa_supplicant to crash with segmentation fault due to
buffer overflow when reading the invalid EAPOL-Key packet data.
This omission of required validation step happened during addition of
WPA2 support and is thus present in all released versions of
wpa_supplicant except for the first v0.2.0 release that did not yet
have WPA2 support. If WPA2 is enabled ('proto' configuration variable
includes WPA2 or RSN, or is commented out in configuration), an
unauthenticated EAPOL-Key frame (message 1 of 4-Way Handshake) can
trigger this failure. If WPA2 is not enabled, only authenticated
frames (message 3 of 4-Way Handshake) trigger this failure, i.e., AP
must be able to determine the correct PMK and PTK to send such a frame.
All users of wpa_supplicant are recommended to update to the new
versions, either v0.3.8 or v0.2.7. Alternatively, the attached patch
can be used to add the missing validation for EAPOL-Key frames. This
patch should apply to all versions starting from v0.2.2 (with some
offset differences). This change is also included in the current
development snapshot.
wpa_supplicant:
* fixed EAPOL-Key validation to drop packets with invalid Key Data
Length; such frames could have crashed wpa_supplicant due to buffer
overflow
--
Jouni Malinen PGP id EFC895FA
-------------- next part --------------
diff -upr wpa_supplicant-0.3.7/wpa.c wpa_supplicant-0.3.8/wpa.c
--- wpa_supplicant-0.3.7/wpa.c 2005-01-30 20:25:36.000000000 -0800
+++ wpa_supplicant-0.3.8/wpa.c 2005-02-13 10:47:25.000000000 -0800
@@ -1961,6 +1961,13 @@ static void wpa_sm_rx_eapol(struct wpa_s
extra_len = data_len - sizeof(*hdr) - sizeof(*key);
+ if (be_to_host16(key->key_data_length) > extra_len) {
+ wpa_msg(wpa_s, MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
+ "key_data overflow (%d > %d)",
+ be_to_host16(key->key_data_length), extra_len);
+ return;
+ }
+
if (wpa_s->proto == WPA_PROTO_RSN &&
(key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
wpa_supplicant_decrypt_key_data(wpa_s, key, ver))
|
|
