[pkg-wpa-devel] Bug#442387: TSF-reporting drivers cause stack overflow

Sat Sep 15 17:30:49 UTC 2007

Package: wpasupplicant
Version: 0.6.0-3
Severity: important
Tags: patch, security

There is a stack overflow in wpa_supplicant when handling TSF info from
drivers that support it.  Patch attached.

-- 
Kees Cook                                            @outflux.net
-------------- next part --------------
#! /bin/sh /usr/share/dpatch/dpatch-run
## 50_fix_hexstr2bin_stack_overflow.dpatch by Kees Cook <kees at outflux.net>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Adjust bytes to target buffer length, not source buffer length.

@DPATCH@
diff -urNad wpasupplicant-0.6.0~/src/drivers/driver_wext.c wpasupplicant-0.6.0/src/drivers/driver_wext.c

--- wpasupplicant-0.6.0~/src/drivers/driver_wext.c	2007-05-28 10:26:55.000000000 -0700
+++ wpasupplicant-0.6.0/src/drivers/driver_wext.c	2007-09-14 23:07:24.217713592 -0700
@@ -1380,6 +1380,7 @@
 			wpa_printf(MSG_INFO, "Invalid TSF length (%d)", bytes);
 			return;
 		}
+		bytes /= 2;
 		hexstr2bin(spos, bin, bytes);
 		res->tsf += WPA_GET_BE64(bin);
 	}
