summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoshua Lock <joshua.lock@collabora.co.uk>2015-08-18 13:38:52 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-09-01 21:19:40 +0100
commit2adb210c8cc5a11bb899e7dc76c31159ff3d4116 (patch)
tree8f3a8249f845e3f99eaf1aa092d9bbc7f3cdfe00
parent982baf1130c41455fc3687fb5647a568742342bb (diff)
downloadpoky-2adb210c8cc5a11bb899e7dc76c31159ff3d4116.tar.gz
wpa-supplicant: backport a patch to fix CVE-2015-1863
This fix was included in the master branch with the upgrade to 2.4, backport it to fido as the vulnerability was already present in 2.3. (From OE-Core rev: 12fc04731d26597bfb9d9f1713c96b11c8186c43) Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc1
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch47
2 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc
index 1d171ef25a..93a2aa8b74 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc
@@ -25,6 +25,7 @@ SRC_URI = "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz \
25 file://wpa_supplicant.conf-sane \ 25 file://wpa_supplicant.conf-sane \
26 file://99_wpa_supplicant \ 26 file://99_wpa_supplicant \
27 file://fix-libnl3-host-contamination.patch \ 27 file://fix-libnl3-host-contamination.patch \
28 file://0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch \
28 file://0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch \ 29 file://0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch \
29 file://0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch \ 30 file://0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch \
30 file://0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch \ 31 file://0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch \
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
new file mode 100644
index 0000000000..e108a931c0
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
@@ -0,0 +1,47 @@
1From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@qca.qualcomm.com>
3Date: Tue, 7 Apr 2015 11:32:11 +0300
4Subject: [PATCH] P2P: Validate SSID element length before copying it
5 (CVE-2015-1863)
6
7This fixes a possible memcpy overflow for P2P dev->oper_ssid in
8p2p_add_device(). The length provided by the peer device (0..255 bytes)
9was used without proper bounds checking and that could have resulted in
10arbitrary data of up to 223 bytes being written beyond the end of the
11dev->oper_ssid[] array (of which about 150 bytes would be beyond the
12heap allocation) when processing a corrupted management frame for P2P
13peer discovery purposes.
14
15This could result in corrupted state in heap, unexpected program
16behavior due to corrupted P2P peer device information, denial of service
17due to process crash, exposure of memory contents during GO Negotiation,
18and potentially arbitrary code execution.
19
20Thanks to Google security team for reporting this issue and smart
21hardware research group of Alibaba security team for discovering it.
22
23Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
24
25Upstream-Status: Backport
26
27Signed-off-by: Yue Tao <yue.tao@windriver.com>
28
29---
30 src/p2p/p2p.c | 1 +
31 1 file changed, 1 insertion(+)
32
33diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
34index f584fae..a45fe73 100644
35--- a/src/p2p/p2p.c
36+++ b/src/p2p/p2p.c
37@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq,
38 if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)
39 os_memcpy(dev->interface_addr, addr, ETH_ALEN);
40 if (msg.ssid &&
41+ msg.ssid[1] <= sizeof(dev->oper_ssid) &&
42 (msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
43 os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
44 != 0)) {
45--
461.7.9.5
47