mirror of
https://github.com/adulau/aha.git
synced 2024-12-28 19:56:18 +00:00
88f16db7a2
Another design flaw in wireless extensions (is anybody surprised?) in the way it handles the iw_encode_ext structure: The structure is part of the 'extra' memory but contains the key length explicitly, instead of it just being the length of the extra buffer - size of the struct and using the explicit key length only for the get operation (which only writes it). Therefore, we have this layout: extra: +-------------------------+ | struct iw_encode_ext { | | ... | | u16 key_len; | | u8 key[0]; | | }; | +-------------------------+ | key material | +-------------------------+ Now, all drivers I checked use ext->key_len without checking that both key_len and the struct fit into the extra buffer that has been copied from userspace. This leads to a buffer overrun while reading that buffer, depending on the driver it may be possible to specify arbitrary key_len or it may need to be a proper length for the key algorithm specified. Thankfully, this is only exploitable by root, but root can actually cause a segfault or use kernel memory as a key (which you can even get back with siocgiwencode or siocgiwencodeext from the key buffer). Fix this by verifying that key_len fits into the buffer along with struct iw_encode_ext. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com> |
||
---|---|---|
.. | ||
core.c | ||
core.h | ||
Kconfig | ||
lib80211.c | ||
lib80211_crypt_ccmp.c | ||
lib80211_crypt_tkip.c | ||
lib80211_crypt_wep.c | ||
Makefile | ||
mlme.c | ||
nl80211.c | ||
nl80211.h | ||
radiotap.c | ||
reg.c | ||
reg.h | ||
scan.c | ||
sysfs.c | ||
sysfs.h | ||
util.c | ||
wext-compat.c | ||
wext.c |