diff options
author | Fan Xin <fan.xin@jp.fujitsu.com> | 2015-11-19 19:46:47 +0900 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-12-01 21:32:08 +0000 |
commit | 012ca02e177cd375173388d3047d5be547f13359 (patch) | |
tree | 1e091602abaa304f4100ca76ad1080aee9813541 /meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch | |
parent | 872e153410027bd9164cc89e74e19b6000a6986b (diff) | |
download | poky-012ca02e177cd375173388d3047d5be547f13359.tar.gz |
wpa-supplicant: upgrade to 2.5
wpa-supplicant: upgrade to 2.5
1. upgrade to 2.5
2. remove eight patches since they have been applied in 2.5
3. update SRC_URI, HOMEPAGE and BUGTRACKER to use w1.fi instead
(From OE-Core rev: 80af821d1240a1fc2b32379b75801571db562657)
Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch')
-rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch | 45 |
1 files changed, 0 insertions, 45 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch deleted file mode 100644 index 882674fe5b..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch +++ /dev/null | |||
@@ -1,45 +0,0 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Wed, 29 Apr 2015 02:21:53 +0300 | ||
8 | Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser | ||
9 | |||
10 | The length of the WMM Action frame was not properly validated and the | ||
11 | length of the information elements (int left) could end up being | ||
12 | negative. This would result in reading significantly past the stack | ||
13 | buffer while parsing the IEs in ieee802_11_parse_elems() and while doing | ||
14 | so, resulting in segmentation fault. | ||
15 | |||
16 | This can result in an invalid frame being used for a denial of service | ||
17 | attack (hostapd process killed) against an AP with a driver that uses | ||
18 | hostapd for management frame processing (e.g., all mac80211-based | ||
19 | drivers). | ||
20 | |||
21 | Thanks to Kostya Kortchinsky of Google security team for discovering and | ||
22 | reporting this issue. | ||
23 | |||
24 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
25 | --- | ||
26 | src/ap/wmm.c | 3 +++ | ||
27 | 1 file changed, 3 insertions(+) | ||
28 | |||
29 | diff --git a/src/ap/wmm.c b/src/ap/wmm.c | ||
30 | index 6d4177c..314e244 100644 | ||
31 | --- a/src/ap/wmm.c | ||
32 | +++ b/src/ap/wmm.c | ||
33 | @@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd, | ||
34 | return; | ||
35 | } | ||
36 | |||
37 | + if (left < 0) | ||
38 | + return; /* not a valid WMM Action frame */ | ||
39 | + | ||
40 | /* extract the tspec info element */ | ||
41 | if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) { | ||
42 | hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, | ||
43 | -- | ||
44 | 1.9.1 | ||
45 | |||