summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHongxu Jia <hongxu.jia@windriver.com>2015-11-13 19:08:06 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-03-03 11:11:40 +0000
commit7d663e9c473c5e5a4ce6b09f3a0743f623faa956 (patch)
tree6ae9abd864cde3e5ee2a8876f5c7e23e4bdc6e07
parentf98b8b767d66e0e4bfa6f3e8ef7e44a4d45270e3 (diff)
downloadpoky-7d663e9c473c5e5a4ce6b09f3a0743f623faa956.tar.gz
wpa-supplicant: Fix CVE-2015-8041
Backport patch from http://w1.fi/security/2015-5/ and rebase for wpa-supplicant 2.4 (From OE-Core rev: 12520d7f729fe3d07c2f94b813994718edb2d987) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Not needed in master since the upgrade to 2.5 Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc1
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch64
2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc
index 93a2aa8b74..4340741b5b 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc
@@ -33,6 +33,7 @@ SRC_URI = "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz \
33 file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch \ 33 file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch \
34 file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch \ 34 file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch \
35 file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \ 35 file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \
36 file://0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch \
36 " 37 "
37SRC_URI[md5sum] = "f2ed8fef72cf63d8d446a2d0a6da630a" 38SRC_URI[md5sum] = "f2ed8fef72cf63d8d446a2d0a6da630a"
38SRC_URI[sha256sum] = "eaaa5bf3055270e521b2dff64f2d203ec8040f71958b8588269a82c00c9d7b6a" 39SRC_URI[sha256sum] = "eaaa5bf3055270e521b2dff64f2d203ec8040f71958b8588269a82c00c9d7b6a"
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
new file mode 100644
index 0000000000..bc1d1e5d26
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
@@ -0,0 +1,64 @@
1From c13401c723a039971bcd91b3856d76c6041b15f2 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <j@w1.fi>
3Date: Fri, 13 Nov 2015 05:54:18 -0500
4Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser
5
6It was possible for the 32-bit record->total_length value to end up
7wrapping around due to integer overflow if the longer form of payload
8length field is used and record->payload_length gets a value close to
92^32. This could result in ndef_parse_record() accepting a too large
10payload length value and the record type filter reading up to about 20
11bytes beyond the end of the buffer and potentially killing the process.
12This could also result in an attempt to allocate close to 2^32 bytes of
13heap memory and if that were to succeed, a buffer read overflow of the
14same length which would most likely result in the process termination.
15In case of record->total_length ending up getting the value 0, there
16would be no buffer read overflow, but record parsing would result in an
17infinite loop in ndef_parse_records().
18
19Any of these error cases could potentially be used for denial of service
20attacks over NFC by using a malformed NDEF record on an NFC Tag or
21sending them during NFC connection handover if the application providing
22the NDEF message to hostapd/wpa_supplicant did no validation of the
23received records. While such validation is likely done in the NFC stack
24that needs to parse the NFC messages before further processing,
25hostapd/wpa_supplicant better be prepared for any data being included
26here.
27
28Fix this by validating record->payload_length value in a way that
29detects integer overflow. (CID 122668)
30
31Signed-off-by: Jouni Malinen <j@w1.fi>
32
33Upstream-Status: Backport [from http://w1.fi/security/2015-5/]
34Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
35---
36 src/wps/ndef.c | 5 ++++-
37 1 file changed, 4 insertions(+), 1 deletion(-)
38
39diff --git a/src/wps/ndef.c b/src/wps/ndef.c
40index d45dfc8..f7f729b 100644
41--- a/src/wps/ndef.c
42+++ b/src/wps/ndef.c
43@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
44 if (size < 6)
45 return -1;
46 record->payload_length = ntohl(*(u32 *)pos);
47+ if (record->payload_length > size - 6)
48+ return -1;
49 pos += sizeof(u32);
50 }
51
52@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
53 pos += record->payload_length;
54
55 record->total_length = pos - data;
56- if (record->total_length > size)
57+ if (record->total_length > size ||
58+ record->total_length < record->payload_length)
59 return -1;
60 return 0;
61 }
62--
631.9.1
64