From: Gustavo Zacarias Date: Wed, 6 Nov 2013 12:15:23 +0000 (-0300) Subject: aircrack-ng: add security patch for CVE-2010-1159 X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=ac147527e2681737ed096466b4f773d9a39bef2d;p=buildroot.git aircrack-ng: add security patch for CVE-2010-1159 Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard --- diff --git a/package/aircrack-ng/aircrack-ng-01-CVE-2010-1159.patch b/package/aircrack-ng/aircrack-ng-01-CVE-2010-1159.patch new file mode 100644 index 0000000000..634a01e391 --- /dev/null +++ b/package/aircrack-ng/aircrack-ng-01-CVE-2010-1159.patch @@ -0,0 +1,24 @@ +Fix for buffer overflow CVE-2010-1159. + +Signed-off-by: Gustavo Zacarias + +--- a/src/airodump-ng.c ++++ b/src/airodump-ng.c +@@ -2126,7 +2126,7 @@ + st_cur->wpa.eapol_size = ( h80211[z + 2] << 8 ) + + h80211[z + 3] + 4; + +- if ((int)pkh.len - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0) ++ if (caplen - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0 || caplen - z < 81 + 16 || st_cur->wpa.eapol_size > 256) + { + // Ignore the packet trying to crash us. + goto write_packet; +@@ -2158,7 +2158,7 @@ + st_cur->wpa.eapol_size = ( h80211[z + 2] << 8 ) + + h80211[z + 3] + 4; + +- if ((int)pkh.len - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0) ++ if (caplen - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0 || caplen - z < 81 + 16 || st_cur->wpa.eapol_size > 256) + { + // Ignore the packet trying to crash us. + goto write_packet;