diff options
3 files changed, 173 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch new file mode 100644 index 000000000..4ea519c75 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch | |||
@@ -0,0 +1,118 @@ | |||
1 | From f1cdbb33ec61c4a64a32e107d4d02f936051c708 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Alan T. DeKok" <aland@freeradius.org> | ||
3 | Date: Mon, 7 Feb 2022 22:26:05 -0500 | ||
4 | Subject: [PATCH] it's probably wrong to be completely retarded. Let's fix | ||
5 | that. | ||
6 | |||
7 | CVE: CVE-2022-41860 | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | [https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a32e107d4d02f936051c708] | ||
11 | |||
12 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
13 | --- | ||
14 | src/modules/rlm_eap/libeap/eapsimlib.c | 69 +++++++++++++++++++------- | ||
15 | 1 file changed, 52 insertions(+), 17 deletions(-) | ||
16 | |||
17 | diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c | ||
18 | index cf1e8a7dd9..e438a844ea 100644 | ||
19 | --- a/src/modules/rlm_eap/libeap/eapsimlib.c | ||
20 | +++ b/src/modules/rlm_eap/libeap/eapsimlib.c | ||
21 | @@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r, | ||
22 | newvp->vp_length = 1; | ||
23 | fr_pair_add(&(r->vps), newvp); | ||
24 | |||
25 | + /* | ||
26 | + * EAP-SIM has a 1 octet of subtype, and 2 octets | ||
27 | + * reserved. | ||
28 | + */ | ||
29 | attr += 3; | ||
30 | attrlen -= 3; | ||
31 | |||
32 | - /* now, loop processing each attribute that we find */ | ||
33 | - while(attrlen > 0) { | ||
34 | + /* | ||
35 | + * Loop over each attribute. The format is: | ||
36 | + * | ||
37 | + * 1 octet of type | ||
38 | + * 1 octet of length (value 1..255) | ||
39 | + * ((4 * length) - 2) octets of data. | ||
40 | + */ | ||
41 | + while (attrlen > 0) { | ||
42 | uint8_t *p; | ||
43 | |||
44 | - if(attrlen < 2) { | ||
45 | + if (attrlen < 2) { | ||
46 | fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen); | ||
47 | return 0; | ||
48 | } | ||
49 | |||
50 | + if (!attr[1]) { | ||
51 | + fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", eapsim_attribute, | ||
52 | + es_attribute_count); | ||
53 | + return 0; | ||
54 | + } | ||
55 | + | ||
56 | eapsim_attribute = attr[0]; | ||
57 | eapsim_len = attr[1] * 4; | ||
58 | |||
59 | + /* | ||
60 | + * The length includes the 2-byte header. | ||
61 | + */ | ||
62 | if (eapsim_len > attrlen) { | ||
63 | fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)", | ||
64 | eapsim_attribute, es_attribute_count, eapsim_len, attrlen); | ||
65 | return 0; | ||
66 | } | ||
67 | |||
68 | - if(eapsim_len > MAX_STRING_LEN) { | ||
69 | - eapsim_len = MAX_STRING_LEN; | ||
70 | - } | ||
71 | - if (eapsim_len < 2) { | ||
72 | - fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute, | ||
73 | - es_attribute_count); | ||
74 | - return 0; | ||
75 | - } | ||
76 | + newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0); | ||
77 | + if (!newvp) { | ||
78 | + /* | ||
79 | + * RFC 4186 Section 8.1 says 0..127 are | ||
80 | + * "non-skippable". If one such | ||
81 | + * attribute is found and we don't | ||
82 | + * understand it, the server has to send: | ||
83 | + * | ||
84 | + * EAP-Request/SIM/Notification packet with an | ||
85 | + * (AT_NOTIFICATION code, which implies general failure ("General | ||
86 | + * failure after authentication" (0), or "General failure" (16384), | ||
87 | + * depending on the phase of the exchange), which terminates the | ||
88 | + * authentication exchange. | ||
89 | + */ | ||
90 | + if (eapsim_attribute <= 127) { | ||
91 | + fr_strerror_printf("Unknown mandatory attribute %d, failing", | ||
92 | + eapsim_attribute); | ||
93 | + return 0; | ||
94 | + } | ||
95 | |||
96 | - newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0); | ||
97 | - newvp->vp_length = eapsim_len-2; | ||
98 | - newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length); | ||
99 | - memcpy(p, &attr[2], eapsim_len-2); | ||
100 | - fr_pair_add(&(r->vps), newvp); | ||
101 | - newvp = NULL; | ||
102 | + } else { | ||
103 | + /* | ||
104 | + * It's known, ccount for header, and | ||
105 | + * copy the value over. | ||
106 | + */ | ||
107 | + newvp->vp_length = eapsim_len - 2; | ||
108 | + | ||
109 | + newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length); | ||
110 | + memcpy(p, &attr[2], newvp->vp_length); | ||
111 | + fr_pair_add(&(r->vps), newvp); | ||
112 | + } | ||
113 | |||
114 | /* advance pointers, decrement length */ | ||
115 | attr += eapsim_len; | ||
116 | -- | ||
117 | 2.25.1 | ||
118 | |||
diff --git a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch new file mode 100644 index 000000000..352c02137 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 0ec2b39d260e08e4c3464f6b95005821dc559c62 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Alan T. DeKok" <aland@freeradius.org> | ||
3 | Date: Mon, 28 Feb 2022 10:34:15 -0500 | ||
4 | Subject: [PATCH] manual port of commit 5906bfa1 | ||
5 | |||
6 | CVE: CVE-2022-41861 | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | [https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e08e4c3464f6b95005821dc559c62] | ||
10 | |||
11 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
12 | --- | ||
13 | src/lib/filters.c | 12 +++++++++--- | ||
14 | 1 file changed, 9 insertions(+), 3 deletions(-) | ||
15 | |||
16 | diff --git a/src/lib/filters.c b/src/lib/filters.c | ||
17 | index 4868cd385d..3f3b63daee 100644 | ||
18 | --- a/src/lib/filters.c | ||
19 | +++ b/src/lib/filters.c | ||
20 | @@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in | ||
21 | } | ||
22 | } | ||
23 | } else if (filter->type == RAD_FILTER_GENERIC) { | ||
24 | - int count; | ||
25 | + size_t count, masklen; | ||
26 | + | ||
27 | + masklen = ntohs(filter->u.generic.len); | ||
28 | + if (masklen >= sizeof(filter->u.generic.mask)) { | ||
29 | + *p = '\0'; | ||
30 | + return; | ||
31 | + } | ||
32 | |||
33 | i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset)); | ||
34 | p += i; | ||
35 | |||
36 | /* show the mask */ | ||
37 | - for (count = 0; count < ntohs(filter->u.generic.len); count++) { | ||
38 | + for (count = 0; count < masklen; count++) { | ||
39 | i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]); | ||
40 | p += i; | ||
41 | outlen -= i; | ||
42 | @@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in | ||
43 | outlen--; | ||
44 | |||
45 | /* show the value */ | ||
46 | - for (count = 0; count < ntohs(filter->u.generic.len); count++) { | ||
47 | + for (count = 0; count < masklen; count++) { | ||
48 | i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]); | ||
49 | p += i; | ||
50 | outlen -= i; | ||
51 | -- | ||
52 | 2.25.1 | ||
53 | |||
diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb index b459412e0..d18c38779 100644 --- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb +++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb | |||
@@ -33,6 +33,8 @@ SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0 | |||
33 | file://radiusd-volatiles.conf \ | 33 | file://radiusd-volatiles.conf \ |
34 | file://check-openssl-cmds-in-script-bootstrap.patch \ | 34 | file://check-openssl-cmds-in-script-bootstrap.patch \ |
35 | file://0001-version.c-don-t-print-build-flags.patch \ | 35 | file://0001-version.c-don-t-print-build-flags.patch \ |
36 | file://CVE-2022-41860.patch \ | ||
37 | file://CVE-2022-41861.patch \ | ||
36 | " | 38 | " |
37 | 39 | ||
38 | raddbdir="${sysconfdir}/${MLPREFIX}raddb" | 40 | raddbdir="${sysconfdir}/${MLPREFIX}raddb" |