From ac147527e2681737ed096466b4f773d9a39bef2d Mon Sep 17 00:00:00 2001 From: Gustavo Zacarias Date: Wed, 6 Nov 2013 09:15:23 -0300 Subject: [PATCH] aircrack-ng: add security patch for CVE-2010-1159 Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard --- .../aircrack-ng-01-CVE-2010-1159.patch | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 package/aircrack-ng/aircrack-ng-01-CVE-2010-1159.patch diff --git a/package/aircrack-ng/aircrack-ng-01-CVE-2010-1159.patch b/package/aircrack-ng/aircrack-ng-01-CVE-2010-1159.patch new file mode 100644 index 0000000000..634a01e391 --- /dev/null +++ b/package/aircrack-ng/aircrack-ng-01-CVE-2010-1159.patch @@ -0,0 +1,24 @@ +Fix for buffer overflow CVE-2010-1159. + +Signed-off-by: Gustavo Zacarias + +--- a/src/airodump-ng.c ++++ b/src/airodump-ng.c +@@ -2126,7 +2126,7 @@ + st_cur->wpa.eapol_size = ( h80211[z + 2] << 8 ) + + h80211[z + 3] + 4; + +- if ((int)pkh.len - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0) ++ if (caplen - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0 || caplen - z < 81 + 16 || st_cur->wpa.eapol_size > 256) + { + // Ignore the packet trying to crash us. + goto write_packet; +@@ -2158,7 +2158,7 @@ + st_cur->wpa.eapol_size = ( h80211[z + 2] << 8 ) + + h80211[z + 3] + 4; + +- if ((int)pkh.len - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0) ++ if (caplen - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0 || caplen - z < 81 + 16 || st_cur->wpa.eapol_size > 256) + { + // Ignore the packet trying to crash us. + goto write_packet; -- 2.30.2