Jon Oberheide <jon@oberheide.org> reported: These pointers can be NULL, the is_mesh() case isn't ever hit in the current kernel, but cmp_ies() can be hit under certain conditions. PoC at http://jon.oberheide.org/files/cfg80211-remote-dos.c: * The NULL pointer dereference is triggered if the victim scans and receives * a beacon frame that does not contain a SSID IE and then receives another * one that does have a SSID IE. Raw frame injection via LORCON is required * on the wireless interface. This should only affect the 2.6.30 series.
CVE-2009-2844 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2844): cfg80211 in net/wireless/scan.c in the Linux kernel before 2.6.31-rc6 allows remote attackers to cause a denial of service (crash) via a sequence of beacon frames in which one frame omits an SSID Information Element (IE) and the subsequent frame contains an SSID IE, which triggers a NULL pointer dereference in the cmp_ies function. NOTE: a potential weakness in the is_mesh function was also address, but the relevant code was not reachable, so it is not a vulnerability.
