Debian Bug report logs - #365897
seg fault error in hostapd

version graph

Package: hostapd; Maintainer for hostapd is Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>; Source for hostapd is src:wpa.

Reported by: Matteo Rosi <rosi@lart.det.unifi.it>

Date: Wed, 3 May 2006 16:03:02 UTC

Severity: critical

Tags: patch, sarge, security

Found in version hostapd/1:0.3.7-2

Fixed in versions hostapd/1:0.3.7-2sarge1, hostapd/1:0.5.0-1

Done: Faidon Liambotis <faidon@cube.gr>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Faidon Liambotis <faidon@cube.gr>:
Bug#365897; Package hostapd. Full text and rfc822 format available.

Acknowledgement sent to Matteo Rosi <rosi@lart.det.unifi.it>:
New Bug report received and forwarded. Copy sent to Faidon Liambotis <faidon@cube.gr>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Matteo Rosi <rosi@lart.det.unifi.it>
To: submit@bugs.debian.org
Subject: seg fault error in hostapd
Date: Wed, 03 May 2006 17:34:59 +0200
Package: Hostapd
Version: 0.3.7-2
Severity: critical
Tags: security, patch, sarge

Description:
An invalid value, in a field of EAPoL frame, causes a segmantation fault
error in hostapd deamon.

We found it using Stress: a software for protocol implementation testing
and security testing, you can find it at

http://lart.det.unifi.it/Members/rosi/stress


We find the error in wpa.c file, line 1416:

key_data_length = ntohs(key->key_data_length);

for correct it we can take the patch made by Maulinen in revision
1.71.2.1 in cvs system:

key_data_length = ntohs(key->key_data_length);
if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) {
	wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
		   "key_data overflow (%d > %d)",
		   key_data_length,
		   data_len - sizeof(*hdr) - sizeof(*key));
	return;
}


regards,
Matteo Rosi, Leonardo Maccari

-- 
        	Telecommunication Network Lab,
Department of Electronics and Telecommunications, University of Florence
 		http://lart.det.unifi.it/




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#365897; Package hostapd. Full text and rfc822 format available.

Acknowledgement sent to Faidon Liambotis <faidon@cube.gr>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 365897@bugs.debian.org (full text, mbox):

From: Faidon Liambotis <faidon@cube.gr>
To: Debian Security Team <team@security.debian.org>
Cc: Matteo Rosi <rosi@lart.det.unifi.it>, 365897@bugs.debian.org
Subject: Re: Bug#365897: seg fault error in hostapd
Date: Wed, 03 May 2006 22:24:28 +0300
[Message part 1 (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
Matteo Rosi wrote:
| Package: Hostapd
| Version: 0.3.7-2
| Severity: critical
| Tags: security, patch, sarge
|
| Description:
| An invalid value, in a field of EAPoL frame, causes a segmantation fault
| error in hostapd deamon.
|
| We found it using Stress: a software for protocol implementation testing
| and security testing, you can find it at
|
| http://lart.det.unifi.it/Members/rosi/stress
Thanks for the detailed report.

Security team, please advise and/or upload. I believe the severity is
inflated, as this is just a DoS on the program, but I'm leaving it to
you to lower it.
Attached is a patch doing exactly what Matteo said, copied from upstream
and compile tested.
The version in sid/etch (0.5.0-1) is unaffected by this issue.

Regards,
Faidon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEWQNsVty5d8XpUzMRAo8eAJ4kO2KQyGrNq5/R61hPojr72eV8lwCeI/e4
Eb1KKoaCKxSB7zL27FvY/XM=
=T51f
-----END PGP SIGNATURE-----
[0.3.7-2-security.patch (text/x-patch, inline)]
--- hostapd-0.3.7/wpa.c~	2005-01-24 05:36:45.000000000 +0200
+++ hostapd-0.3.7/wpa.c		2005-12-18 01:02:03.000000000 +0200
@@ -1414,6 +1642,14 @@
 	key = (struct wpa_eapol_key *) (hdr + 1);
 	key_info = ntohs(key->key_info);
 	key_data_length = ntohs(key->key_data_length);
+	if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) {
+		wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
+			   "key_data overflow (%d > %lu)",
+			   key_data_length,
+			   (unsigned long) (data_len - sizeof(*hdr) -
+					    sizeof(*key)));
+		return;
+	}
 
 	/* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
 	 * are set */


Information forwarded to debian-bugs-dist@lists.debian.org, Faidon Liambotis <faidon@cube.gr>:
Bug#365897; Package hostapd. Full text and rfc822 format available.

Acknowledgement sent to Matteo Rosi <rosi@lart.det.unifi.it>:
Extra info received and forwarded to list. Copy sent to Faidon Liambotis <faidon@cube.gr>. Full text and rfc822 format available.

Message #15 received at 365897@bugs.debian.org (full text, mbox):

From: Matteo Rosi <rosi@lart.det.unifi.it>
To: Faidon Liambotis <faidon@cube.gr>
Cc: Debian Security Team <team@security.debian.org>, 365897@bugs.debian.org
Subject: Re: Bug#365897: seg fault error in hostapd
Date: Thu, 04 May 2006 17:45:12 +0200
Faidon Liambotis wrote:
> Hi,
> Matteo Rosi wrote:
> | Package: Hostapd
> | Version: 0.3.7-2
> | Severity: critical
> | Tags: security, patch, sarge

> Security team, please advise and/or upload. I believe the severity is
> inflated, as this is just a DoS on the program, but I'm leaving it to
> you to lower it.

we didn't have time to investigate it further but the problem seems to
be related to an unchecked buffer length, so even if now it only causes
a segfault, it might also cause worse consequences.

regards,
Matteo Rosi, Leonardo Maccari

-- 
	Telecommunication Network Lab,
Department of Electronics and Telecommunications, University of Florence
	http://lart.det.unifi.it/







Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#365897; Package hostapd. Full text and rfc822 format available.

Acknowledgement sent to Faidon Liambotis <faidon@cube.gr>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #20 received at 365897@bugs.debian.org (full text, mbox):

From: Faidon Liambotis <faidon@cube.gr>
To: 365897@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: seg fault error in hostapd
Date: Fri, 26 May 2006 17:37:45 +0300
notfound 365897 0.3.7-2
found 365897 1:0.3.7-2
close 365897 1:0.3.7-2sarge1
close 365897 1:0.5.0-1
thanks

The bug is fixed both in stable (by version 1:0.3.7-2sarge1) and in
etch/unstable.

Regards,
Faidon



Bug marked as not found in version 0.3.7-2. Request was from Faidon Liambotis <faidon@cube.gr> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 1:0.3.7-2. Request was from Faidon Liambotis <faidon@cube.gr> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 1:0.3.7-2sarge1, send any further explanations to Matteo Rosi <rosi@lart.det.unifi.it> Request was from Faidon Liambotis <faidon@cube.gr> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 1:0.5.0-1, send any further explanations to Matteo Rosi <rosi@lart.det.unifi.it> Request was from Faidon Liambotis <faidon@cube.gr> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 07:56:56 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 05:13:29 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.