syn_lwnheadline: Wi-Fi software security bug could leave Android, Windows, Linux open to attack (Ars Technica)

Wi-Fi software security bug could leave Android, Windows, Linux open to attack (Ars Technica)
Ars Technica reports
on a wpa_supplicant bug
that might leave Linux and other systems open to remote code execution.
"That's because the code fails to check the length of incoming SSID
information and writes information beyond the valid 32 octets of data to
memory beyond the range it was allocated. SSID information 'is transmitted
in an element that has a 8-bit length field and potential maximum payload
length of 255 octets,' [wpa_supplicant maintainer Jouni] Malinen wrote,
and the code 'was not sufficiently verifying the payload length on one of
the code paths using the SSID received from a peer device. This can result
in copying arbitrary data from an attacker to a fixed length buffer of 32
bytes (i.e., a possible overflow of up to 223 bytes). The overflow can
override a couple of variables in the struct, including a pointer that gets
freed. In addition, about 150 bytes (the exact length depending on
architecture) can be written beyond the end of the heap
allocation.'"