diff options
author | Fan Xin <fan.xin@jp.fujitsu.com> | 2015-08-05 11:41:32 +0900 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-09-01 21:19:40 +0100 |
commit | 982baf1130c41455fc3687fb5647a568742342bb (patch) | |
tree | 75a0e179d92ac32ac4d10cfbdc98c607d68f5268 /meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch | |
parent | 38f48913adfd640970a798a719fab6b8f1e888c5 (diff) | |
download | poky-982baf1130c41455fc3687fb5647a568742342bb.tar.gz |
wpa-supplicant: Fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146
wpa-supplicant: backport patch to fix CVE-2015-4141,
CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146
Backport patch to fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146.
This patch is originally from:
For CVE-2015-4141:
http://w1.fi/security/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
For CVE-2015-4143:
http://w1.fi/security/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
http://w1.fi/security/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
For CVE-2015-4144 and CVE-2015-4145:
http://w1.fi/security/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
http://w1.fi/security/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
For CVE-2015-4146:
http://w1.fi/security/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch
(From OE-Core master rev: ce16e95de05db24e4e4132660d793cc7b1d890b9)
(From OE-Core rev: b236c0882d62d8aa722117a54c1ff9edec7f5a6d)
Signed-off-by: Fan Xin <fan.xin at jp.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch')
-rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch new file mode 100644 index 0000000000..2568ea1124 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Tue, 28 Apr 2015 17:08:33 +0300 | ||
8 | Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser | ||
9 | |||
10 | strtoul() return value may end up overflowing the int h->chunk_size and | ||
11 | resulting in a negative value to be stored as the chunk_size. This could | ||
12 | result in the following memcpy operation using a very large length | ||
13 | argument which would result in a buffer overflow and segmentation fault. | ||
14 | |||
15 | This could have been used to cause a denial service by any device that | ||
16 | has been authorized for network access (either wireless or wired). This | ||
17 | would affect both the WPS UPnP functionality in a WPS AP (hostapd with | ||
18 | upnp_iface parameter set in the configuration) and WPS ER | ||
19 | (wpa_supplicant with WPS_ER_START control interface command used). | ||
20 | |||
21 | Validate the parsed chunk length value to avoid this. In addition to | ||
22 | rejecting negative values, we can also reject chunk size that would be | ||
23 | larger than the maximum configured body length. | ||
24 | |||
25 | Thanks to Kostya Kortchinsky of Google security team for discovering and | ||
26 | reporting this issue. | ||
27 | |||
28 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
29 | --- | ||
30 | src/wps/httpread.c | 7 +++++++ | ||
31 | 1 file changed, 7 insertions(+) | ||
32 | |||
33 | diff --git a/src/wps/httpread.c b/src/wps/httpread.c | ||
34 | index 2f08f37..d2855e3 100644 | ||
35 | --- a/src/wps/httpread.c | ||
36 | +++ b/src/wps/httpread.c | ||
37 | @@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx) | ||
38 | if (!isxdigit(*cbp)) | ||
39 | goto bad; | ||
40 | h->chunk_size = strtoul(cbp, NULL, 16); | ||
41 | + if (h->chunk_size < 0 || | ||
42 | + h->chunk_size > h->max_bytes) { | ||
43 | + wpa_printf(MSG_DEBUG, | ||
44 | + "httpread: Invalid chunk size %d", | ||
45 | + h->chunk_size); | ||
46 | + goto bad; | ||
47 | + } | ||
48 | /* throw away chunk header | ||
49 | * so we have only real data | ||
50 | */ | ||
51 | -- | ||
52 | 1.9.1 | ||
53 | |||