CESA-2007-007 - rev 1
[See all my vulnerabilities at
http://scary.beasts.org/security]
Linux kernel IEEE80211 integer underflow / DoS
Programs affected: linux kernel
Fixed version: v2.6.23
Advisory release date: Nov 8th 2007
Severity: Remote DoS over wireless
CVE(s): CVE-2007-4997
The summary is that an evil 80211 frame can crash out a victim's
machine. It only applies to drivers using the 80211 wireless code, and
only then to certain drivers (and even then depends on a card's
firmware not dropping a dubious packet). I must confess I'm not
keeping track of Linux wireless support, and the different protocol
stacks etc.
Details are as follows:
ieee80211_rx() does not explicitly check that "skb->len >= hdrlen".
There are other skb->len checks, but not enough to prevent a subtle
off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag
set.
This leads to integer underflow and crash here:
if (frag != 0)
flen -= hdrlen;
(flen is subsequently used as a memcpy length parameter).
Some drivers have this length check, e.g. ipw2200, so the problem is
avoided. Other drivers, such as ipw2100, lack an explicit length
check. It's reasonable for drivers to expect the common ieee80211 core
to do this check.
CESA-2007-007 - rev 1
Chris Evans
scarybeasts@gmail.com