oss-sec mailing list archives
CVE request: kernel: nl80211: missing check for valid SSID size in scan operations
From: Petr Matousek <pmatouse () redhat com>
Date: Fri, 1 Jul 2011 10:48:58 +0200
In both trigger_scan and sched_scan operations, we were checking for the SSID length before assigning the value correctly. Since the memory was just kzalloc'ed, the check was always failing and SSID with over 32 characters were allowed to go through. This is causing a buffer overflow when copying the actual SSID to the proper place. Please note that it needs CAP_NET_ADMIN privileges. Upstream commits: 208c72f4fe44fe09577e7975ba0e7fa0278f3d03 57a27e1d6a3bb9ad4efeebd3a8c71156d6207536 References: https://bugzilla.redhat.com/show_bug.cgi?id=718152 Thanks, -- Petr Matousek / Red Hat Security Response Team
Current thread:
- CVE request: kernel: nl80211: missing check for valid SSID size in scan operations Petr Matousek (Jul 01)