diff options
author | fan.xin <fan.xin@jp.fujitsu.com> | 2015-06-30 11:21:55 +0900 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-07-01 15:40:00 +0100 |
commit | 563269fd1e326d099051720275682afd9a813857 (patch) | |
tree | 6de2623c08524d2b3fbf6cd36027e6696a311581 | |
parent | 63873d02c0b530d4f55e1bea9e0150c426ccb59e (diff) | |
download | poky-563269fd1e326d099051720275682afd9a813857.tar.gz |
wpa-supplicant: Fix CVE-2015-4142
wpa-supplicant: backport patch to fix CVE-2015-4142
Backport patch to fix CVE-2015-4142. This patch is originally from:
http://w1.fi/security/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
(From OE-Core rev: 61f2a6a18dcda22d7b0e236f9150674bff2764a7)
Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch new file mode 100644 index 0000000000..882674fe5b --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Wed, 29 Apr 2015 02:21:53 +0300 | ||
8 | Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser | ||
9 | |||
10 | The length of the WMM Action frame was not properly validated and the | ||
11 | length of the information elements (int left) could end up being | ||
12 | negative. This would result in reading significantly past the stack | ||
13 | buffer while parsing the IEs in ieee802_11_parse_elems() and while doing | ||
14 | so, resulting in segmentation fault. | ||
15 | |||
16 | This can result in an invalid frame being used for a denial of service | ||
17 | attack (hostapd process killed) against an AP with a driver that uses | ||
18 | hostapd for management frame processing (e.g., all mac80211-based | ||
19 | drivers). | ||
20 | |||
21 | Thanks to Kostya Kortchinsky of Google security team for discovering and | ||
22 | reporting this issue. | ||
23 | |||
24 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
25 | --- | ||
26 | src/ap/wmm.c | 3 +++ | ||
27 | 1 file changed, 3 insertions(+) | ||
28 | |||
29 | diff --git a/src/ap/wmm.c b/src/ap/wmm.c | ||
30 | index 6d4177c..314e244 100644 | ||
31 | --- a/src/ap/wmm.c | ||
32 | +++ b/src/ap/wmm.c | ||
33 | @@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd, | ||
34 | return; | ||
35 | } | ||
36 | |||
37 | + if (left < 0) | ||
38 | + return; /* not a valid WMM Action frame */ | ||
39 | + | ||
40 | /* extract the tspec info element */ | ||
41 | if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) { | ||
42 | hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, | ||
43 | -- | ||
44 | 1.9.1 | ||
45 | |||