Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4997 to the following vulnerability: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. References:
Chris Evans discovered that a malicious 80211 frame can crash machine if certain drivers, chipsets, and firmware is in use. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=04045f98e0457aba7d4e6736f37eed189c48a5f7 eported by Chris Evans <scarybeasts>: > The summary is that an evil 80211 frame can crash out a victim's > machine. It only applies to drivers using the 80211 wireless code, and > only then to certain drivers (and even then depends on a card's > firmware not dropping a dubious packet). I must confess I'm not > keeping track of Linux wireless support, and the different protocol > stacks etc. > > Details are as follows: > > ieee80211_rx() does not explicitly check that "skb->len >= hdrlen". > There are other skb->len checks, but not enough to prevent a subtle > off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag > set. > > This leads to integer underflow and crash here: > > if (frag != 0) > flen -= hdrlen; > > (flen is subsequently used as a memcpy length parameter). Acknowledgements: Red Hat would like to credit Chris Evans for reporting this issue.
I should not be on this bug.
Now also public at http://scary.beasts.org/security/CESA-2007-007.html