summaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-connectivity
diff options
context:
space:
mode:
authorZhixiong Chi <zhixiong.chi@windriver.com>2016-09-26 15:53:48 +0800
committerMartin Jansa <Martin.Jansa@gmail.com>2016-10-03 19:19:55 +0200
commit47ab72fca1a13fcc659ce5ff0ea0bad58bf77e9a (patch)
tree718da35548a6eea248e92ab748722ce60c8470d6 /meta-oe/recipes-connectivity
parent510bcc875c689f386595898073de2f278f8b0fdc (diff)
downloadmeta-openembedded-47ab72fca1a13fcc659ce5ff0ea0bad58bf77e9a.tar.gz
hostapd: Security Advisory-CVE-2016-4476
Add CVE-2016-4476 patch for avoiding \n and \r characters in passphrase parameters, which allows remote attackers to cause a denial of service (daemon outage) via a crafted WPS operation. patches came from http://w1.fi/security/2016-1/ Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Diffstat (limited to 'meta-oe/recipes-connectivity')
-rw-r--r--meta-oe/recipes-connectivity/hostapd/hostapd/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch86
-rw-r--r--meta-oe/recipes-connectivity/hostapd/hostapd_2.5.bb1
2 files changed, 87 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch
new file mode 100644
index 000000000..2fc78968a
--- /dev/null
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch
@@ -0,0 +1,86 @@
1From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@qca.qualcomm.com>
3Date: Fri, 4 Mar 2016 17:20:18 +0200
4Subject: [PATCH 1/1] WPS: Reject a Credential with invalid passphrase
5
6WPA/WPA2-Personal passphrase is not allowed to include control
7characters. Reject a Credential received from a WPS Registrar both as
8STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
9WPA2PSK authentication type and includes an invalid passphrase.
10
11This fixes an issue where hostapd or wpa_supplicant could have updated
12the configuration file PSK/passphrase parameter with arbitrary data from
13an external device (Registrar) that may not be fully trusted. Should
14such data include a newline character, the resulting configuration file
15could become invalid and fail to be parsed.
16
17Upstream-Status: Backport
18
19CVE: CVE-2016-4476
20
21Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
22Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
23---
24 src/utils/common.c | 12 ++++++++++++
25 src/utils/common.h | 1 +
26 src/wps/wps_attr_process.c | 10 ++++++++++
27 3 files changed, 23 insertions(+)
28
29diff --git a/src/utils/common.c b/src/utils/common.c
30index 450e2c6..27b7c02 100644
31--- a/src/utils/common.c
32+++ b/src/utils/common.c
33@@ -697,6 +697,18 @@ int is_hex(const u8 *data, size_t len)
34 }
35
36
37+int has_ctrl_char(const u8 *data, size_t len)
38+{
39+ size_t i;
40+
41+ for (i = 0; i < len; i++) {
42+ if (data[i] < 32 || data[i] == 127)
43+ return 1;
44+ }
45+ return 0;
46+}
47+
48+
49 size_t merge_byte_arrays(u8 *res, size_t res_len,
50 const u8 *src1, size_t src1_len,
51 const u8 *src2, size_t src2_len)
52diff --git a/src/utils/common.h b/src/utils/common.h
53index 701dbb2..a972240 100644
54--- a/src/utils/common.h
55+++ b/src/utils/common.h
56@@ -488,6 +488,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
57
58 char * wpa_config_parse_string(const char *value, size_t *len);
59 int is_hex(const u8 *data, size_t len);
60+int has_ctrl_char(const u8 *data, size_t len);
61 size_t merge_byte_arrays(u8 *res, size_t res_len,
62 const u8 *src1, size_t src1_len,
63 const u8 *src2, size_t src2_len);
64diff --git a/src/wps/wps_attr_process.c b/src/wps/wps_attr_process.c
65index eadb22f..e8c4579 100644
66--- a/src/wps/wps_attr_process.c
67+++ b/src/wps/wps_attr_process.c
68@@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struct wps_credential *cred)
69 cred->key_len--;
70 #endif /* CONFIG_WPS_STRICT */
71 }
72+
73+
74+ if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
75+ (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) {
76+ wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase");
77+ wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
78+ cred->key, cred->key_len);
79+ return -1;
80+ }
81+
82 return 0;
83 }
84
85--
861.9.1
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.5.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.5.bb
index c38e20a72..ab01235ec 100644
--- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.5.bb
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.5.bb
@@ -16,6 +16,7 @@ SRC_URI = " \
16 file://defconfig \ 16 file://defconfig \
17 file://init \ 17 file://init \
18 file://hostapd.service \ 18 file://hostapd.service \
19 file://0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch \
19" 20"
20 21
21S = "${WORKDIR}/hostapd-${PV}" 22S = "${WORKDIR}/hostapd-${PV}"