Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Buffer overflow not properly patched #728
Reported by opensource on 1 Apr 2010 21:38 UTC
changeset:1676 seems not to address the recently discovered buffer overflow.
From the Fedora bug report: (Bug 577654 in Red Hat's Bugzilla)
Comment by opensource on 1 Apr 2010 21:38 UTC
Here is a comment from the original bug reporter claiming that the fix is not yet ok:
Why don't you just compare the promoted size of the EAPOL-frame to
Comment by clopez on 1 Apr 2010 21:38 UTC
Here are the relevant links:
I have tested it with trunk (2002630):
It keeps there forever and you have to hit CTR+C twice to make it stop :\
Comment by vanhoefm on 1 Apr 2010 21:38 UTC
Several tools are still vulnerable because it is not checked whether the .eapol_size is small enough. My patch fixes the vulnerability in several tools. Aircrack-ng ran forever because it did not release the mutex before reading the next packet. The WPA_hdsk structure was copied all over the codebase, and is now placed in eapol.h which is included by all tools.
I have a working exploit allowing arbitrary code execution when aircrack-ng loads a specially crafted .pcap file... Remote exploitation of other tools should also be possible. So please accept this patch!