Description of problem: Kees Cook reported this to the Debian BTS: There is a stack overflow in wpa_supplicant when handling TSF info from drivers that support it. Patch attached.
Created attachment 197231 [details] The proposed Debian patch
I do not believe that any version of Fedora or RHEL is vulnerable due to this problem, because we do not ship a version of wpa_supplicant that is new enough to have TSF-related code. I have quickly checked all other instances of hexstr2bin and they all appear to be correctly determining the length of the returned buffer. We ship wpa_supplicant 0.5.7 in F-7 and rawhide, 0.4.9 in FC-6, and no version greater than 0.5.7 in RHEL. Shall I mark as NOTABUG?