Ars Technica reports on a wpa_supplicant bug that might leave Linux and other systems open to remote code execution.
That's because the code fails to check the length of incoming SSID information and writes information beyond the valid 32 octets of data to memory beyond the range it was allocated. SSID information 'is transmitted in an element that has a 8-bit length field and potential maximum payload length of 255 octets,' [wpa_supplicant maintainer Jouni] Malinen wrote, and the code 'was not sufficiently verifying the payload length on one of the code paths using the SSID received from a peer device. This can result in copying arbitrary data from an attacker to a fixed length buffer of 32 bytes (i.e., a possible overflow of up to 223 bytes). The overflow can override a couple of variables in the struct, including a pointer that gets freed. In addition, about 150 bytes (the exact length depending on architecture) can be written beyond the end of the heap allocation.
