mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2025-02-20 02:53:03 -05:00
fd630bc183
If IWEVGENIE or custom event wpa_ie/rsn_ie is received in scan with empty buffer, the previous version ended up calling realloc(NULL, 0) which seems to return a non-NULL value in some cases. When this return value is passed again into realloc with realloc(ptr, 0), the returned value could be NULL. If the ptr is then freed (os_free(data.ie) in SIOCGIWAP handling), glibc may crash due to invalid pointer being freed (or double-freed?). The non-NULL realloc(NULL, 0) return value from glibc looks a bit odd behavior, but anyway, better avoid this case completely and just skip the IE events that have an empty buffer. This issue should not show up with drivers that produce proper scan results since the IEs will always include the two-octet header. However, it seems to be possible to see this when using 64-bit kernel and 32-bit userspace with incorrect compat-ioctl processing.
wpa_supplicant and hostapd v0.6.x --------------------------------- Copyright (c) 2002-2007, Jouni Malinen <j@w1.fi> and contributors All Rights Reserved. These program is dual-licensed under both the GPL version 2 and BSD license. Either license may be used at your option. This package may include either wpa_supplicant, hostapd, or both. See README file respective subdirectories (wpa_supplicant/README or hostapd/README) for more details. Source code files have been moved around in v0.6.x releases and compared to earlier releases, the programs are now build by first going to a subdirectory (wpa_supplicant or hostapd) and creating build configuration (.config) and running 'make' there (for Linux/BSD/cygwin builds).