Date: Mon, 2 Nov 2015 17:52:45 -0500 (EST) From: cve-assign@...re.org To: j@...fi Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: hostapd/wpa_supplicant - Incomplete WPS and P2P NFC NDEF record payload length validation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > http://w1.fi/security/2015-5/incomplete-wps-and-p2p-nfc-ndef-record-payload-length-validation.txt >> Note: No NFC stack implementation has yet been identified with >> capability to pass the malformed NDEF record to >> hostapd/wpa_supplicant. As such, it is not known whether this issue can >> be triggered in practice. >> While such validation is likely done in the NFC >> stack that needs to parse the NFC messages before further processing, >> hostapd/wpa_supplicant should have (re)confirmed NDEF message validity >> properly. > https://w1.fi/cgit/hostap/commit/src/wps/ndef.c?id=df9079e72760ceb7ebe7fb11538200c516bdd886 >> It was possible for the 32-bit record->total_length value to end up >> wrapping around due to integer overflow if the longer form of payload >> length field is used and record->payload_length gets a value close to >> 2^32. Use CVE-2015-8041 for this integer overflow (with various possible impacts). The vendor's report is listed under "security advisories" on the http://w1.fi/security page, and it may be reasonable to interpret "hostapd/wpa_supplicant should have (re)confirmed NDEF message validity properly" to mean "hostapd/wpa_supplicant had a vulnerability because they did not (re)confirm NDEF message validity properly." In other words, although the issue is not exploitable with any known NFC implementation, the hostapd/wpa_supplicant design goal was to operate safely even if validation were missing in an NFC implementation. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWN+iXAAoJEL54rhJi8gl5WPQP/jCEUAEaL41RDQtIr+z8AQ9K 0eCZvwc3aenIJBe77KaU8f77VHbyM3pCatheArzv1KHOEyRvezr5KKscVcYxi6bj 20NnNXpWRTLoxduU0tz/2C6mUNv05VsZaRwFe1nsPHH+yDwMfzcOD6MB5esJ64l6 ZI+SbA6QMEGzq5oflWtIrijLif/YcevYyIlVJyDQjXrnvL/+g/ZfegnWruaJjWaU CUrkAfHdeXdfk260b1hVoqncPrqIASRm2GQGhR9EzpqNWDZNcF8iGtc8LBUzSlk7 2ZmRaID4Yw57MNlFXPgn+q6scCpGWuDPAXIeJ5uBNcp4V8VVQp3zPmE9KdRzDQ1c oypYxFfsu0/B7oW/q8nIfuz/UZge+2DZD+etPaN1jG5IpSOJhFCIgiJ8PNl6UlUU yJNwXAMUy5+xBLULHyBhlsPc6sjJppnzP4YD/vPnzQ0uhKAXXIF/rjfi2fhX0lF7 iGikGwCXqejP4uwqJ7zE/oOh6oEEkSVYN4sqERsHmnhdE5teLMF/XOodv5P8afNX sPbnrh67/G7PopFTCH6N4wXZrJPbi+YzETI+GXpgu1nEOkC5jtycYqV9lKnTBjQT e6wxWk0OGdXeettqRZUhB1LTNm7OIoEjBb/+63AEyl8P6z6aqM+xXUQlNLcQHU1m GDmrNOp6JAhzg1+xMggO =1n9O -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ