Vigil@nce: Linux kernel, infinite loop in find_ie via Wi-Fi
September 2009 by Vigil@nce
An attacker located near the computer can send a malformed Wi-Fi
frame, in order to generate an infinite loop in the find_ie()
function.
Severity: 2/4
Consequences: denial of service of computer
Provenance: radio connection
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 16/09/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The cfg80211_bss_update() function of the net/wireless/scan.c file
updates information on the BSS (Basic Service Set) of a Wi-Fi
network.
This function calls the find_ie() function, which searches an
entry containing generic "Information Elements". However, if the
Wi-Fi frame is malformed, the cfg80211_bss_update() function calls
find_ie() with a negative parameter, which generates an infinite
loop.
An attacker located near the computer can send a malformed Wi-Fi
frame, in order to generate a denial of service.
CHARACTERISTICS
Identifiers: BID-36421, VIGILANCE-VUL-9028
http://vigilance.fr/vulnerability/Linux-kernel-infinite-loop-in-find-ie-via-Wi-Fi-9028