summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2020-07-08 21:08:01 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-08-04 22:17:37 (GMT)
commitac2df959504b7610ba9285510999c2db5c2ffb88 (patch)
tree153a21fcc431d03b36aa893d42ca0296cc8533aa
parent0e3b8415cfc6bfcb16cc63d6ec7a43927fd752bf (diff)
downloadpoky-ac2df959504b7610ba9285510999c2db5c2ffb88.tar.gz
wpa-supplicant: Security fix CVE-2020-12695
Source: http://w1.fi/security/ Disposition: Backport from http://w1.fi/security/2020-1/ Affects <= 2.9 wpa-supplicant (From OE-Core rev: 720d29cbfce34375402c6a4c17e440ffbb2659bf) (From OE-Core rev: a341c128a5166c505ee1ec207abb87e5fa64d62e) Signed-off-by: Armin Kuster <akuster@mvista.com> (cherry picked from commit e9c696397ae1b4344b8329a13076f265980ee74d) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch151
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch62
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch50
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb5
4 files changed, 267 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
new file mode 100644
index 0000000..53ad5d0
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
@@ -0,0 +1,151 @@
1From 5b78c8f961f25f4dc22d6f2b77ddd06d712cec63 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@codeaurora.org>
3Date: Wed, 3 Jun 2020 23:17:35 +0300
4Subject: [PATCH 1/3] WPS UPnP: Do not allow event subscriptions with URLs to
5 other networks
6
7The UPnP Device Architecture 2.0 specification errata ("UDA errata
816-04-2020.docx") addresses a problem with notifications being allowed
9to go out to other domains by disallowing such cases. Do such filtering
10for the notification callback URLs to avoid undesired connections to
11external networks based on subscriptions that any device in the local
12network could request when WPS support for external registrars is
13enabled (the upnp_iface parameter in hostapd configuration).
14
15Upstream-Status: Backport
16CVE: CVE-2020-12695 patch #1
17Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
18Signed-off-by: Armin Kuster <akuster@mvista.com>
19
20---
21 src/wps/wps_er.c | 2 +-
22 src/wps/wps_upnp.c | 38 ++++++++++++++++++++++++++++++++++++--
23 src/wps/wps_upnp_i.h | 3 ++-
24 3 files changed, 39 insertions(+), 4 deletions(-)
25
26Index: wpa_supplicant-2.9/src/wps/wps_er.c
27===================================================================
28--- wpa_supplicant-2.9.orig/src/wps/wps_er.c
29+++ wpa_supplicant-2.9/src/wps/wps_er.c
30@@ -1298,7 +1298,7 @@ wps_er_init(struct wps_context *wps, con
31 "with %s", filter);
32 }
33 if (get_netif_info(er->ifname, &er->ip_addr, &er->ip_addr_text,
34- er->mac_addr)) {
35+ NULL, er->mac_addr)) {
36 wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
37 "for %s. Does it have IP address?", er->ifname);
38 wps_er_deinit(er, NULL, NULL);
39Index: wpa_supplicant-2.9/src/wps/wps_upnp.c
40===================================================================
41--- wpa_supplicant-2.9.orig/src/wps/wps_upnp.c
42+++ wpa_supplicant-2.9/src/wps/wps_upnp.c
43@@ -303,6 +303,14 @@ static void subscr_addr_free_all(struct
44 }
45
46
47+static int local_network_addr(struct upnp_wps_device_sm *sm,
48+ struct sockaddr_in *addr)
49+{
50+ return (addr->sin_addr.s_addr & sm->netmask.s_addr) ==
51+ (sm->ip_addr & sm->netmask.s_addr);
52+}
53+
54+
55 /* subscr_addr_add_url -- add address(es) for one url to subscription */
56 static void subscr_addr_add_url(struct subscription *s, const char *url,
57 size_t url_len)
58@@ -381,6 +389,7 @@ static void subscr_addr_add_url(struct s
59
60 for (rp = result; rp; rp = rp->ai_next) {
61 struct subscr_addr *a;
62+ struct sockaddr_in *addr = (struct sockaddr_in *) rp->ai_addr;
63
64 /* Limit no. of address to avoid denial of service attack */
65 if (dl_list_len(&s->addr_list) >= MAX_ADDR_PER_SUBSCRIPTION) {
66@@ -389,6 +398,13 @@ static void subscr_addr_add_url(struct s
67 break;
68 }
69
70+ if (!local_network_addr(s->sm, addr)) {
71+ wpa_printf(MSG_INFO,
72+ "WPS UPnP: Ignore a delivery URL that points to another network %s",
73+ inet_ntoa(addr->sin_addr));
74+ continue;
75+ }
76+
77 a = os_zalloc(sizeof(*a) + alloc_len);
78 if (a == NULL)
79 break;
80@@ -889,11 +905,12 @@ static int eth_get(const char *device, u
81 * @net_if: Selected network interface name
82 * @ip_addr: Buffer for returning IP address in network byte order
83 * @ip_addr_text: Buffer for returning a pointer to allocated IP address text
84+ * @netmask: Buffer for returning netmask or %NULL if not needed
85 * @mac: Buffer for returning MAC address
86 * Returns: 0 on success, -1 on failure
87 */
88 int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
89- u8 mac[ETH_ALEN])
90+ struct in_addr *netmask, u8 mac[ETH_ALEN])
91 {
92 struct ifreq req;
93 int sock = -1;
94@@ -919,6 +936,19 @@ int get_netif_info(const char *net_if, u
95 in_addr.s_addr = *ip_addr;
96 os_snprintf(*ip_addr_text, 16, "%s", inet_ntoa(in_addr));
97
98+ if (netmask) {
99+ os_memset(&req, 0, sizeof(req));
100+ os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
101+ if (ioctl(sock, SIOCGIFNETMASK, &req) < 0) {
102+ wpa_printf(MSG_ERROR,
103+ "WPS UPnP: SIOCGIFNETMASK failed: %d (%s)",
104+ errno, strerror(errno));
105+ goto fail;
106+ }
107+ addr = (struct sockaddr_in *) &req.ifr_netmask;
108+ netmask->s_addr = addr->sin_addr.s_addr;
109+ }
110+
111 #ifdef __linux__
112 os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
113 if (ioctl(sock, SIOCGIFHWADDR, &req) < 0) {
114@@ -1025,11 +1055,15 @@ static int upnp_wps_device_start(struct
115
116 /* Determine which IP and mac address we're using */
117 if (get_netif_info(net_if, &sm->ip_addr, &sm->ip_addr_text,
118- sm->mac_addr)) {
119+ &sm->netmask, sm->mac_addr)) {
120 wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
121 "for %s. Does it have IP address?", net_if);
122 goto fail;
123 }
124+ wpa_printf(MSG_DEBUG, "WPS UPnP: Local IP address %s netmask %s hwaddr "
125+ MACSTR,
126+ sm->ip_addr_text, inet_ntoa(sm->netmask),
127+ MAC2STR(sm->mac_addr));
128
129 /* Listen for incoming TCP connections so that others
130 * can fetch our "xml files" from us.
131Index: wpa_supplicant-2.9/src/wps/wps_upnp_i.h
132===================================================================
133--- wpa_supplicant-2.9.orig/src/wps/wps_upnp_i.h
134+++ wpa_supplicant-2.9/src/wps/wps_upnp_i.h
135@@ -128,6 +128,7 @@ struct upnp_wps_device_sm {
136 u8 mac_addr[ETH_ALEN]; /* mac addr of network i.f. we use */
137 char *ip_addr_text; /* IP address of network i.f. we use */
138 unsigned ip_addr; /* IP address of network i.f. we use (host order) */
139+ struct in_addr netmask;
140 int multicast_sd; /* send multicast messages over this socket */
141 int ssdp_sd; /* receive discovery UPD packets on socket */
142 int ssdp_sd_registered; /* nonzero if we must unregister */
143@@ -158,7 +159,7 @@ struct subscription * subscription_find(
144 const u8 uuid[UUID_LEN]);
145 void subscr_addr_delete(struct subscr_addr *a);
146 int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
147- u8 mac[ETH_ALEN]);
148+ struct in_addr *netmask, u8 mac[ETH_ALEN]);
149
150 /* wps_upnp_ssdp.c */
151 void msearchreply_state_machine_stop(struct advertisement_state_machine *a);
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
new file mode 100644
index 0000000..5964085
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
@@ -0,0 +1,62 @@
1From f7d268864a2660b7239b9a8ff5ad37faeeb751ba Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@codeaurora.org>
3Date: Wed, 3 Jun 2020 22:41:02 +0300
4Subject: [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL
5 path
6
7More than about 700 character URL ended up overflowing the wpabuf used
8for building the event notification and this resulted in the wpabuf
9buffer overflow checks terminating the hostapd process. Fix this by
10allocating the buffer to be large enough to contain the full URL path.
11However, since that around 700 character limit has been the practical
12limit for more than ten years, start explicitly enforcing that as the
13limit or the callback URLs since any longer ones had not worked before
14and there is no need to enable them now either.
15
16Upstream-Status: Backport
17CVE: CVE-2020-12695 patch #2
18Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
19Signed-off-by: Armin Kuster <akuster@mvista.com>
20
21---
22 src/wps/wps_upnp.c | 9 +++++++--
23 src/wps/wps_upnp_event.c | 3 ++-
24 2 files changed, 9 insertions(+), 3 deletions(-)
25
26diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
27index 7d4b7439940e..ab685d52ecab 100644
28--- a/src/wps/wps_upnp.c
29+++ b/src/wps/wps_upnp.c
30@@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
31 int rerr;
32 size_t host_len, path_len;
33
34- /* url MUST begin with http: */
35- if (url_len < 7 || os_strncasecmp(url, "http://", 7))
36+ /* URL MUST begin with HTTP scheme. In addition, limit the length of
37+ * the URL to 700 characters which is around the limit that was
38+ * implicitly enforced for more than 10 years due to a bug in
39+ * generating the event messages. */
40+ if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) {
41+ wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
42 goto fail;
43+ }
44 url += 7;
45 url_len -= 7;
46
47diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
48index d7e6edcc6503..08a23612f338 100644
49--- a/src/wps/wps_upnp_event.c
50+++ b/src/wps/wps_upnp_event.c
51@@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e)
52 struct wpabuf *buf;
53 char *b;
54
55- buf = wpabuf_alloc(1000 + wpabuf_len(e->data));
56+ buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
57+ wpabuf_len(e->data));
58 if (buf == NULL)
59 return NULL;
60 wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);
61--
622.20.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
new file mode 100644
index 0000000..8a014ef
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
@@ -0,0 +1,50 @@
1From 85aac526af8612c21b3117dadc8ef5944985b476 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@codeaurora.org>
3Date: Thu, 4 Jun 2020 21:24:04 +0300
4Subject: [PATCH 3/3] WPS UPnP: Handle HTTP initiation failures for events more
5 properly
6
7While it is appropriate to try to retransmit the event to another
8callback URL on a failure to initiate the HTTP client connection, there
9is no point in trying the exact same operation multiple times in a row.
10Replve the event_retry() calls with event_addr_failure() for these cases
11to avoid busy loops trying to repeat the same failing operation.
12
13These potential busy loops would go through eloop callbacks, so the
14process is not completely stuck on handling them, but unnecessary CPU
15would be used to process the continues retries that will keep failing
16for the same reason.
17
18Upstream-Status: Backport
19CVE: CVE-2020-12695 patch #2
20Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
21Signed-off-by: Armin Kuster <akuster@mvista.com>
22
23---
24 src/wps/wps_upnp_event.c | 4 ++--
25 1 file changed, 2 insertions(+), 2 deletions(-)
26
27diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
28index 08a23612f338..c0d9e41d9a38 100644
29--- a/src/wps/wps_upnp_event.c
30+++ b/src/wps/wps_upnp_event.c
31@@ -294,7 +294,7 @@ static int event_send_start(struct subscription *s)
32
33 buf = event_build_message(e);
34 if (buf == NULL) {
35- event_retry(e, 0);
36+ event_addr_failure(e);
37 return -1;
38 }
39
40@@ -302,7 +302,7 @@ static int event_send_start(struct subscription *s)
41 event_http_cb, e);
42 if (e->http_event == NULL) {
43 wpabuf_free(buf);
44- event_retry(e, 0);
45+ event_addr_failure(e);
46 return -1;
47 }
48
49--
502.20.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
index 0e74d21..de882fa 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -25,7 +25,10 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
25 file://wpa_supplicant.conf-sane \ 25 file://wpa_supplicant.conf-sane \
26 file://99_wpa_supplicant \ 26 file://99_wpa_supplicant \
27 file://0001-replace-systemd-install-Alias-with-WantedBy.patch \ 27 file://0001-replace-systemd-install-Alias-with-WantedBy.patch \
28 file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \ 28 file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \
29 file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
30 file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
31 file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
29 " 32 "
30SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190" 33SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
31SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17" 34SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"