summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZhixiong Chi <zhixiong.chi@windriver.com>2016-09-22 15:54:20 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-09-23 14:56:39 +0100
commit9b78237363b4812c3b9509959fc931e9f0c17674 (patch)
treeb3395da49bfe78c3b164ae45c74bea1950d1b8f7
parentd2259ac280bd93be3b0c9779dad1d43bb0b798a2 (diff)
downloadpoky-9b78237363b4812c3b9509959fc931e9f0c17674.tar.gz
wpa_supplicant: Security Advisory-CVE-2016-4476
Add CVE-2016-4476 patch for avoiding \n and \r characters in passphrase parameters, which allows remote attackers to cause a denial of service (daemon outage) via a crafted WPS operation. Patches came from http://w1.fi/security/2016-1/ (From OE-Core rev: ed610b68f7e19644c89d7131e34c990a02403c62) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch86
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch86
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb2
3 files changed, 174 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch
new file mode 100644
index 0000000000..db222e41d4
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch
@@ -0,0 +1,86 @@
1From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@qca.qualcomm.com>
3Date: Fri, 4 Mar 2016 17:20:18 +0200
4Subject: [PATCH 1/2] WPS: Reject a Credential with invalid passphrase
5
6WPA/WPA2-Personal passphrase is not allowed to include control
7characters. Reject a Credential received from a WPS Registrar both as
8STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
9WPA2PSK authentication type and includes an invalid passphrase.
10
11This fixes an issue where hostapd or wpa_supplicant could have updated
12the configuration file PSK/passphrase parameter with arbitrary data from
13an external device (Registrar) that may not be fully trusted. Should
14such data include a newline character, the resulting configuration file
15could become invalid and fail to be parsed.
16
17Upstream-Status: Backport
18
19CVE: CVE-2016-4476
20
21Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
22Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
23---
24 src/utils/common.c | 12 ++++++++++++
25 src/utils/common.h | 1 +
26 src/wps/wps_attr_process.c | 10 ++++++++++
27 3 files changed, 23 insertions(+)
28
29diff --git a/src/utils/common.c b/src/utils/common.c
30index 450e2c6..27b7c02 100644
31--- a/src/utils/common.c
32+++ b/src/utils/common.c
33@@ -697,6 +697,18 @@ int is_hex(const u8 *data, size_t len)
34 }
35
36
37+int has_ctrl_char(const u8 *data, size_t len)
38+{
39+ size_t i;
40+
41+ for (i = 0; i < len; i++) {
42+ if (data[i] < 32 || data[i] == 127)
43+ return 1;
44+ }
45+ return 0;
46+}
47+
48+
49 size_t merge_byte_arrays(u8 *res, size_t res_len,
50 const u8 *src1, size_t src1_len,
51 const u8 *src2, size_t src2_len)
52diff --git a/src/utils/common.h b/src/utils/common.h
53index 701dbb2..a972240 100644
54--- a/src/utils/common.h
55+++ b/src/utils/common.h
56@@ -488,6 +488,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
57
58 char * wpa_config_parse_string(const char *value, size_t *len);
59 int is_hex(const u8 *data, size_t len);
60+int has_ctrl_char(const u8 *data, size_t len);
61 size_t merge_byte_arrays(u8 *res, size_t res_len,
62 const u8 *src1, size_t src1_len,
63 const u8 *src2, size_t src2_len);
64diff --git a/src/wps/wps_attr_process.c b/src/wps/wps_attr_process.c
65index eadb22f..e8c4579 100644
66--- a/src/wps/wps_attr_process.c
67+++ b/src/wps/wps_attr_process.c
68@@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struct wps_credential *cred)
69 cred->key_len--;
70 #endif /* CONFIG_WPS_STRICT */
71 }
72+
73+
74+ if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
75+ (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) {
76+ wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase");
77+ wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
78+ cred->key, cred->key_len);
79+ return -1;
80+ }
81+
82 return 0;
83 }
84
85--
861.9.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch
new file mode 100644
index 0000000000..cc7b01ad57
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch
@@ -0,0 +1,86 @@
1From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
2From: Paul Stewart <pstew@google.com>
3Date: Thu, 3 Mar 2016 15:40:19 -0800
4Subject: [PATCH 2/2] Remove newlines from wpa_supplicant config network
5 output
6
7Spurious newlines output while writing the config file can corrupt the
8wpa_supplicant configuration. Avoid writing these for the network block
9parameters. This is a generic filter that cover cases that may not have
10been explicitly addressed with a more specific commit to avoid control
11characters in the psk parameter.
12
13Upstream-Status: Backport
14
15CVE: CVE-2016-4476
16
17Signed-off-by: Paul Stewart <pstew@google.com>
18Signed-off-by: Zhixiong Chi <Zhixiong.Chi.wrs.com>
19---
20 src/utils/common.c | 11 +++++++++++
21 src/utils/common.h | 1 +
22 wpa_supplicant/config.c | 15 +++++++++++++--
23 3 files changed, 25 insertions(+), 2 deletions(-)
24
25diff --git a/src/utils/common.c b/src/utils/common.c
26index 27b7c02..9856463 100644
27--- a/src/utils/common.c
28+++ b/src/utils/common.c
29@@ -709,6 +709,17 @@ int has_ctrl_char(const u8 *data, size_t len)
30 }
31
32
33+int has_newline(const char *str)
34+{
35+ while (*str) {
36+ if (*str == '\n' || *str == '\r')
37+ return 1;
38+ str++;
39+ }
40+ return 0;
41+}
42+
43+
44 size_t merge_byte_arrays(u8 *res, size_t res_len,
45 const u8 *src1, size_t src1_len,
46 const u8 *src2, size_t src2_len)
47diff --git a/src/utils/common.h b/src/utils/common.h
48index a972240..d19927b 100644
49--- a/src/utils/common.h
50+++ b/src/utils/common.h
51@@ -489,6 +489,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
52 char * wpa_config_parse_string(const char *value, size_t *len);
53 int is_hex(const u8 *data, size_t len);
54 int has_ctrl_char(const u8 *data, size_t len);
55+int has_newline(const char *str);
56 size_t merge_byte_arrays(u8 *res, size_t res_len,
57 const u8 *src1, size_t src1_len,
58 const u8 *src2, size_t src2_len);
59diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
60index fdd9643..eb97cd5 100644
61--- a/wpa_supplicant/config.c
62+++ b/wpa_supplicant/config.c
63@@ -2699,8 +2699,19 @@ char * wpa_config_get(struct wpa_ssid *ssid, const char *var)
64
65 for (i = 0; i < NUM_SSID_FIELDS; i++) {
66 const struct parse_data *field = &ssid_fields[i];
67- if (os_strcmp(var, field->name) == 0)
68- return field->writer(field, ssid);
69+ if (os_strcmp(var, field->name) == 0) {
70+ char *ret = field->writer(field, ssid);
71+
72+ if (ret && has_newline(ret)) {
73+ wpa_printf(MSG_ERROR,
74+ "Found newline in value for %s; not returning it",
75+ var);
76+ os_free(ret);
77+ ret = NULL;
78+ }
79+
80+ return ret;
81+ }
82 }
83
84 return NULL;
85--
861.9.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb
index 935c8afc9b..bfcc6cca63 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb
@@ -24,6 +24,8 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
24 file://wpa_supplicant.conf \ 24 file://wpa_supplicant.conf \
25 file://wpa_supplicant.conf-sane \ 25 file://wpa_supplicant.conf-sane \
26 file://99_wpa_supplicant \ 26 file://99_wpa_supplicant \
27 file://0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch \
28 file://0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch \
27 " 29 "
28SRC_URI[md5sum] = "96ff75c3a514f1f324560a2376f13110" 30SRC_URI[md5sum] = "96ff75c3a514f1f324560a2376f13110"
29SRC_URI[sha256sum] = "cce55bae483b364eae55c35ba567c279be442ed8bab5b80a3c7fb0d057b9b316" 31SRC_URI[sha256sum] = "cce55bae483b364eae55c35ba567c279be442ed8bab5b80a3c7fb0d057b9b316"