CESA-2007-007 - rev 1

[See all my vulnerabilities at http://scary.beasts.org/security]

Linux kernel IEEE80211 integer underflow / DoS

Programs affected: linux kernel
Fixed version: v2.6.23
Advisory release date: Nov 8th 2007
Severity: Remote DoS over wireless
CVE(s): CVE-2007-4997

The summary is that an evil 80211 frame can crash out a victim's machine. It only applies to drivers using the 80211 wireless code, and only then to certain drivers (and even then depends on a card's firmware not dropping a dubious packet). I must confess I'm not keeping track of Linux wireless support, and the different protocol stacks etc.

Details are as follows:

ieee80211_rx() does not explicitly check that "skb->len >= hdrlen". There are other skb->len checks, but not enough to prevent a subtle off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag set.

This leads to integer underflow and crash here:

if (frag != 0)
  flen -= hdrlen;
(flen is subsequently used as a memcpy length parameter).

Some drivers have this length check, e.g. ipw2200, so the problem is avoided. Other drivers, such as ipw2100, lack an explicit length check. It's reasonable for drivers to expect the common ieee80211 core to do this check.

CESA-2007-007 - rev 1
Chris Evans