diff options
| author |   stsp <stsp@openbsd.org> | 2020-02-18 08:29:35 +0000 |
|---|---|---|
| committer | stsp <stsp@openbsd.org> | 2020-02-18 08:29:35 +0000 |
| commit | 774cd68c72db9a16e7653dacd99590787afb74e6 (patch) | |
| tree | 7e5a38608af7d635a1c935db9188853925a1a59a /usr.bin/ssh/ssh.c | |
| parent | Add IPv6 support to umb(4). (diff) | |
| download | wireguard-openbsd-774cd68c72db9a16e7653dacd99590787afb74e6.tar.xz wireguard-openbsd-774cd68c72db9a16e7653dacd99590787afb74e6.zip | |
Fix an mbuf corruption issue which occurs in net80211 hostap mode.
When sizing a memory allocation for a probe response frame, the AP used
the SSID length stored in the node structure which represents the client,
but used the actual length of the SSID when copying it into the frame.
If the actual length is sufficiently large this will result in corruption
of an adjacent mbuf on the free list since m->m_next will be overwritten
with data written to the tail of the probe response frame.
Bad things happen later on when the adjacent mbuf is used. Sometimes
the corruption is detected by mbufpl's use-after-free checking, at
other times we end up crashing somewhere in the network stack.
To prevent such a mistake from occuring again I am removing the 'ni'
argument from ieee80211_get_probe_resp() altogether. It is not needed.
A quick workaround is to configure a short SSID.
Debugged with help from claudio, kettenis, and dlg.
ok claudio
Diffstat (limited to 'usr.bin/ssh/ssh.c')
0 files changed, 0 insertions, 0 deletions