Vigil@nce: Linux kernel, denial of service via WiFi
August 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can send WiFi Beacon frames in order to stop the Linux kernel.
Consequences: denial of service of computer
Provenance: radio connection
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 17/08/2009
DESCRIPTION OF THE VULNERABILITY
A 802.11 host periodically scans the network, and the access point answers a Beacon (Probe Response) containing the SSID (Service Set IDentifier). A Beacon can contain optional information (named "IE", Information Elements).
The cmp_ies() function of the net/wireless/scan.c file compares received IEs. However, when the Linux kernel receives a Beacon with no IE, followed by a Beacon with one IE, a NULL pointer is dereferenced in cmp_ies().
An attacker can therefore send WiFi Beacon frames in order to stop the Linux kernel, when it scans the network.