Software Engineering Institute

The Madwifi driver is a Linux kernel device driver for Atheros-based 802.11 a/b/g compatible wireless LAN adapters. Linux distributions may include the Madwifi driver in their default installation, or as an optional package. Commercial access points and networking equipment may also use the Madwifi driver.

A buffer overflow vulnerability has been discovered in the Madwifi driver. This overflow occurs because the driver does not properly process the information element part of probe response management frames. An attacker within radio range may be able to trigger the overflow by sending a specially-crafted 802.11 management frame to a vulnerable system. Since 802.11b and 802.11g management frames are not encrypted or authenticated, using wireless encryption (WEP/WPA) does not mitigate this vulnerability.

This vulnerability, and the patch, are documented in Madwifi's Changeset 1842:

A remote, unauthenticated attacker within 802.11 radio range may be able to execute arbitrary code with kernel privileges, or cause a denial-of-service condition.

Upgrade

The madwifi team has released an upgrade that addresses this issue. Users who do not compile their kernel from source should see the systems affected portion of this document for information about specific vendors.

Note that third party software repositories may also contain vulnerable versions of the Madwifi driver.