hostapd/src
Jouni Malinen df9079e727 NFC: Fix payload length validation in NDEF record parser
It was possible for the 32-bit record->total_length value to end up
wrapping around due to integer overflow if the longer form of payload
length field is used and record->payload_length gets a value close to
2^32. This could result in ndef_parse_record() accepting a too large
payload length value and the record type filter reading up to about 20
bytes beyond the end of the buffer and potentially killing the process.
This could also result in an attempt to allocate close to 2^32 bytes of
heap memory and if that were to succeed, a buffer read overflow of the
same length which would most likely result in the process termination.
In case of record->total_length ending up getting the value 0, there
would be no buffer read overflow, but record parsing would result in an
infinite loop in ndef_parse_records().

Any of these error cases could potentially be used for denial of service
attacks over NFC by using a malformed NDEF record on an NFC Tag or
sending them during NFC connection handover if the application providing
the NDEF message to hostapd/wpa_supplicant did no validation of the
received records. While such validation is likely done in the NFC stack
that needs to parse the NFC messages before further processing,
hostapd/wpa_supplicant better be prepared for any data being included
here.

Fix this by validating record->payload_length value in a way that
detects integer overflow. (CID 122668)

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-08 16:52:25 +03:00
..
ap ndisc_snoop: Avoid misaligned read of IPv6 address 2015-07-07 16:25:06 +03:00
common FT: Allow CCMP-256 and GCMP-256 as group ciphers 2015-07-07 16:25:06 +03:00
crypto OpenSSL: Merge error returns 2015-06-30 21:48:22 +03:00
drivers hostap: Fix send_mlme() after 'freq' parameter addition 2015-07-07 19:40:49 +03:00
eap_common EAP-SAKE: Make attribute parser more readable 2015-05-03 16:32:50 +03:00
eap_peer pkcs11: Don't ask for a new PIN on TLS handshake failure 2015-07-07 19:25:31 +03:00
eap_server ERP: Avoid mixing of enum types 2015-07-07 16:25:06 +03:00
eapol_auth Declare all read only data structures as const 2015-04-25 17:33:06 +03:00
eapol_supp Send EAPOL-Start on HELD->CONNECTING transition 2015-07-07 19:25:31 +03:00
l2_packet tests: Add eapol-fuzzer 2015-04-22 11:44:19 +03:00
p2p P2PS: Save intended interface address after P2PS PD 2015-07-07 20:59:44 +03:00
pae MACsec: Update protect frames and replay on reauthentication 2014-12-09 16:56:10 +02:00
radius RADIUS DAS: Avoid compiler warning on abs() 2015-07-07 16:25:06 +03:00
rsn_supp FT: Allow CCMP-256 and GCMP-256 as group ciphers 2015-07-07 16:25:06 +03:00
tls libtommath: Fix mp_init_multi() stdarg use on error path 2015-06-23 20:39:08 +03:00
utils Avoid ubsan warning on 0x80<<24 not fitting in int in WPA_GET_BE32/LE32 2015-07-07 16:25:06 +03:00
wps NFC: Fix payload length validation in NDEF record parser 2015-07-08 16:52:25 +03:00
lib.rules Add QUIET=1 option for make 2014-12-29 15:49:05 +02:00
Makefile MACsec: Add PAE implementation 2014-05-09 20:42:44 +03:00