CVE-2015-8041

Vulnerability

Multiple integer overflows exist in the NDEF record parser of hostapd and wpa_supplicant before version 2.5 [2]. The 32-bit record->total_length value can wrap around if the payload length field is crafted to be near 2^32, bypassing bounds checks and leading to out-of-bounds reads or infinite loops [2]. This affects code used when NFC Tags or NFC connection handover trigger WPS or P2P operations.

Exploitation

An attacker must provide a malformed NDEF record via an NFC Tag or NFC connection handover, and the device's NFC stack must not perform its own validation before passing the record to hostapd/wpa_supplicant [2]. The attacker sets a large payload length field value (longer form) to trigger the integer overflow. Successful exploitation requires no authentication, but physical proximity via NFC is needed.

Impact

A successful attack causes denial of service: process termination due to buffer read overflow, or an infinite loop in ndef_parse_records() leading to resource exhaustion [2]. In some cases, the process attempts to allocate close to 2^32 bytes of heap memory, which would also likely crash the process [2].

Mitigation

Fixed in hostapd and wpa_supplicant version 2.5, released July 2015 [2]. If an NFC stack performs proper validation of NDEF record payload lengths, the vulnerability might not be reachable in practice [2]. No other workarounds are documented; users should upgrade to the patched versions.