oss-sec mailing list archives
Re: hostapd/wpa_supplicant - Incomplete WPS and P2P NFC NDEF record payload length validation
From: cve-assign () mitre org
Date: Mon, 2 Nov 2015 17:52:45 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
http://w1.fi/security/2015-5/incomplete-wps-and-p2p-nfc-ndef-record-payload-length-validation.txt
Note: No NFC stack implementation has yet been identified with capability to pass the malformed NDEF record to hostapd/wpa_supplicant. As such, it is not known whether this issue can be triggered in practice.
While such validation is likely done in the NFC stack that needs to parse the NFC messages before further processing, hostapd/wpa_supplicant should have (re)confirmed NDEF message validity properly.
https://w1.fi/cgit/hostap/commit/src/wps/ndef.c?id=df9079e72760ceb7ebe7fb11538200c516bdd886
It was possible for the 32-bit record->total_length value to end up wrapping around due to integer overflow if the longer form of payload length field is used and record->payload_length gets a value close to 2^32.
Use CVE-2015-8041 for this integer overflow (with various possible impacts). The vendor's report is listed under "security advisories" on the http://w1.fi/security page, and it may be reasonable to interpret "hostapd/wpa_supplicant should have (re)confirmed NDEF message validity properly" to mean "hostapd/wpa_supplicant had a vulnerability because they did not (re)confirm NDEF message validity properly." In other words, although the issue is not exploitable with any known NFC implementation, the hostapd/wpa_supplicant design goal was to operate safely even if validation were missing in an NFC implementation. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWN+iXAAoJEL54rhJi8gl5WPQP/jCEUAEaL41RDQtIr+z8AQ9K 0eCZvwc3aenIJBe77KaU8f77VHbyM3pCatheArzv1KHOEyRvezr5KKscVcYxi6bj 20NnNXpWRTLoxduU0tz/2C6mUNv05VsZaRwFe1nsPHH+yDwMfzcOD6MB5esJ64l6 ZI+SbA6QMEGzq5oflWtIrijLif/YcevYyIlVJyDQjXrnvL/+g/ZfegnWruaJjWaU CUrkAfHdeXdfk260b1hVoqncPrqIASRm2GQGhR9EzpqNWDZNcF8iGtc8LBUzSlk7 2ZmRaID4Yw57MNlFXPgn+q6scCpGWuDPAXIeJ5uBNcp4V8VVQp3zPmE9KdRzDQ1c oypYxFfsu0/B7oW/q8nIfuz/UZge+2DZD+etPaN1jG5IpSOJhFCIgiJ8PNl6UlUU yJNwXAMUy5+xBLULHyBhlsPc6sjJppnzP4YD/vPnzQ0uhKAXXIF/rjfi2fhX0lF7 iGikGwCXqejP4uwqJ7zE/oOh6oEEkSVYN4sqERsHmnhdE5teLMF/XOodv5P8afNX sPbnrh67/G7PopFTCH6N4wXZrJPbi+YzETI+GXpgu1nEOkC5jtycYqV9lKnTBjQT e6wxWk0OGdXeettqRZUhB1LTNm7OIoEjBb/+63AEyl8P6z6aqM+xXUQlNLcQHU1m GDmrNOp6JAhzg1+xMggO =1n9O -----END PGP SIGNATURE-----
Current thread:
- Re: hostapd/wpa_supplicant - Incomplete WPS and P2P NFC NDEF record payload length validation Salvatore Bonaccorso (Oct 30)
- <Possible follow-ups>
- Re: hostapd/wpa_supplicant - Incomplete WPS and P2P NFC NDEF record payload length validation cve-assign (Nov 02)