Ticket #1335 (closed defect: fixed)

Opened 1 year ago

Last modified 1 year ago

Fast Frame parsing remote kernel DoS

Reported by: mrenzmann Assigned to: mrenzmann
Priority: critical Milestone:
Component: madwifi: 802.11 stack Version: v0.9.3
Keywords: Cc:
Patch is attached: 0

Description

The following security issue has recently been reported to us. The original reporter wishes to stay anonymous.

There is a vulnerability in packet parsing code whereby a remote attacker can craft a malicious packet that will DoS the system. Due to improper sanitization of nested 802.3 Ethernet frame length fields in Fast Frame packets, the MadWifi driver is vulnerable to a remote kernel denial of service. The problem is that the frame length is read directly from the attackers packet without validation. The attacker can specify a length so that after the skb_pull operation skb1 is less than sizeof(ethernet_header). When skb_pull is called again on skb1 in athff_decap it will return NULL. This results in a NULL dereference later on in the function.

Tests have been made on a SuSE 10.2 32 bit system and after sending the packet, the victim's machine completely locks up and requires a reboot.

Attachments

01_secfix-0.9.3-sizecheck-take3.patch (2.4 kB) - added by mrenzmann on 05/23/07 10:27:47.

Change History

05/23/07 10:27:47 changed by mrenzmann

  • attachment 01_secfix-0.9.3-sizecheck-take3.patch added.

05/23/07 10:28:30 changed by mrenzmann

The attached patch is for tags/release-0.9.3 and fixes the reported bug.

05/24/07 03:15:01 changed by mentor

  • status changed from new to closed.
  • resolution set to fixed.

I believe that this problem was fixed in trunk at r2296

Add/Change #1335 (Fast Frame parsing remote kernel DoS)