FragAttacks: Fragmentation & Aggregation Attacks
Go to file
Jouni Malinen fd630bc183 Fixed WEXT scan result parser to not crash on invalid IEs (zero len buffer)
If IWEVGENIE or custom event wpa_ie/rsn_ie is received in scan with empty
buffer, the previous version ended up calling realloc(NULL, 0) which seems
to return a non-NULL value in some cases. When this return value is passed
again into realloc with realloc(ptr, 0), the returned value could be NULL.
If the ptr is then freed (os_free(data.ie) in SIOCGIWAP handling), glibc
may crash due to invalid pointer being freed (or double-freed?). The
non-NULL realloc(NULL, 0) return value from glibc looks a bit odd behavior,
but anyway, better avoid this case completely and just skip the IE events
that have an empty buffer.

This issue should not show up with drivers that produce proper scan results
since the IEs will always include the two-octet header. However, it seems
to be possible to see this when using 64-bit kernel and 32-bit userspace
with incorrect compat-ioctl processing.
2008-08-27 09:52:16 +03:00
eap_example Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-27 17:34:43 -08:00
hostapd Send HT parameters for new STAs 2008-08-25 11:30:39 +03:00
mac80211_hwsim Removed forgotten todo entry 2008-06-10 20:57:32 +03:00
patches Updated the OpenSSL EAP-FAST patch for the current OpenSSL 0.9.9 snapshot 2008-08-24 13:12:54 +03:00
radius_example Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-27 17:34:43 -08:00
src Fixed WEXT scan result parser to not crash on invalid IEs (zero len buffer) 2008-08-27 09:52:16 +03:00
testing Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-27 17:34:43 -08:00
wpa_supplicant Internal X.509/TLSv1: Support SHA-256 in X.509 certificate digest 2008-08-16 11:21:22 +03:00
www Preparations for 0.6.4 release 2008-08-10 20:33:12 +03:00
build_release Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-27 17:34:43 -08:00
COPYING Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-27 17:34:43 -08:00
FAQ Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-27 17:34:43 -08:00
README Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-27 17:34:43 -08:00

wpa_supplicant and hostapd v0.6.x
---------------------------------

Copyright (c) 2002-2007, Jouni Malinen <j@w1.fi> and contributors
All Rights Reserved.

These program is dual-licensed under both the GPL version 2 and BSD
license. Either license may be used at your option.


This package may include either wpa_supplicant, hostapd, or both. See
README file respective subdirectories (wpa_supplicant/README or
hostapd/README) for more details.

Source code files have been moved around in v0.6.x releases and
compared to earlier releases, the programs are now build by first
going to a subdirectory (wpa_supplicant or hostapd) and creating
build configuration (.config) and running 'make' there (for
Linux/BSD/cygwin builds).