summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGustavo Zacarias <gustavo@zacarias.com.ar>2013-11-06 12:15:23 (GMT)
committer Peter Korsgaard <peter@korsgaard.com>2013-11-06 12:32:18 (GMT)
commitac147527e2681737ed096466b4f773d9a39bef2d (patch)
tree59e4d5add2f368201640f6c13ecb8e22a0840f84
parent6f05d5ac8f34b30f87408132775dac74648d5b33 (diff)
downloadbuildroot-ac147527e2681737ed096466b4f773d9a39bef2d.tar.gz
buildroot-ac147527e2681737ed096466b4f773d9a39bef2d.tar.bz2
aircrack-ng: add security patch for CVE-2010-1159
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-rw-r--r--package/aircrack-ng/aircrack-ng-01-CVE-2010-1159.patch24
1 files changed, 24 insertions, 0 deletions
diff --git a/package/aircrack-ng/aircrack-ng-01-CVE-2010-1159.patch b/package/aircrack-ng/aircrack-ng-01-CVE-2010-1159.patch
new file mode 100644
index 0000000..634a01e
--- /dev/null
+++ b/package/aircrack-ng/aircrack-ng-01-CVE-2010-1159.patch
@@ -0,0 +1,24 @@
+Fix for buffer overflow CVE-2010-1159.
+
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+
+--- a/src/airodump-ng.c
++++ b/src/airodump-ng.c
+@@ -2126,7 +2126,7 @@
+ st_cur->wpa.eapol_size = ( h80211[z + 2] << 8 )
+ + h80211[z + 3] + 4;
+
+- if ((int)pkh.len - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0)
++ if (caplen - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0 || caplen - z < 81 + 16 || st_cur->wpa.eapol_size > 256)
+ {
+ // Ignore the packet trying to crash us.
+ goto write_packet;
+@@ -2158,7 +2158,7 @@
+ st_cur->wpa.eapol_size = ( h80211[z + 2] << 8 )
+ + h80211[z + 3] + 4;
+
+- if ((int)pkh.len - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0)
++ if (caplen - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0 || caplen - z < 81 + 16 || st_cur->wpa.eapol_size > 256)
+ {
+ // Ignore the packet trying to crash us.
+ goto write_packet;