wpa_supplicant - new stable releases v0.3.8 and v0.2.7

Jouni Malinen jkmaline at cc.hut.fi
Sun Feb 13 21:35:31 EST 2005


New versions of wpa_supplicant stable branches were just released and
are now available from http://hostap.epitest.fi/

This release is a bug fix release for all current stable branches. A
missing validation of received EAPOL-Key frames was found during code
review. This omission makes it possible to construct a packet that
will cause wpa_supplicant to crash with segmentation fault due to
buffer overflow when reading the invalid EAPOL-Key packet data.

This omission of required validation step happened during addition of
WPA2 support and is thus present in all released versions of
wpa_supplicant except for the first v0.2.0 release that did not yet
have WPA2 support. If WPA2 is enabled ('proto' configuration variable
includes WPA2 or RSN, or is commented out in configuration), an
unauthenticated EAPOL-Key frame (message 1 of 4-Way Handshake) can
trigger this failure. If WPA2 is not enabled, only authenticated
frames (message 3 of 4-Way Handshake) trigger this failure, i.e., AP
must be able to determine the correct PMK and PTK to send such a frame.

All users of wpa_supplicant are recommended to update to the new
versions, either v0.3.8 or v0.2.7. Alternatively, the attached patch
can be used to add the missing validation for EAPOL-Key frames. This
patch should apply to all versions starting from v0.2.2 (with some
offset differences). This change is also included in the current
development snapshot.


wpa_supplicant:
* fixed EAPOL-Key validation to drop packets with invalid Key Data
  Length; such frames could have crashed wpa_supplicant due to buffer
  overflow


-- 
Jouni Malinen                                            PGP id EFC895FA
-------------- next part --------------
diff -upr wpa_supplicant-0.3.7/wpa.c wpa_supplicant-0.3.8/wpa.c
--- wpa_supplicant-0.3.7/wpa.c	2005-01-30 20:25:36.000000000 -0800
+++ wpa_supplicant-0.3.8/wpa.c	2005-02-13 10:47:25.000000000 -0800
@@ -1961,6 +1961,13 @@ static void wpa_sm_rx_eapol(struct wpa_s
 
 	extra_len = data_len - sizeof(*hdr) - sizeof(*key);
 
+	if (be_to_host16(key->key_data_length) > extra_len) {
+		wpa_msg(wpa_s, MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
+			"key_data overflow (%d > %d)",
+			be_to_host16(key->key_data_length), extra_len);
+		return;
+	}
+
 	if (wpa_s->proto == WPA_PROTO_RSN &&
 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
 	    wpa_supplicant_decrypt_key_data(wpa_s, key, ver))


More information about the HostAP mailing list