Wi-Fi software security bug could leave Android, Windows, Linux open to attack (Ars Technica)

Ars Technica reportson a wpa_supplicant bugthat might leave Linux and other systems open to remote code execution."That's because the code fails to check the length of incoming SSIDinformation and writes information beyond the valid 32 octets of data tomemory beyond the range it was allocated. SSID information 'is transmittedin an element that has a 8-bit length field and potential maximum payloadlength of 255 octets,' [wpa_supplicant maintainer Jouni] Malinen wrote,and the code 'was not sufficiently verifying the payload length on one ofthe code paths using the SSID received from a peer device. This can resultin copying arbitrary data from an attacker to a fixed length buffer of 32bytes (i.e., a possible overflow of up to 223 bytes). The overflow canoverride a couple of variables in the struct, including a pointer that getsfreed. In addition, about 150 bytes (the exact length depending onarchitecture) can be written beyond the end of the heapallocation.'"