wpa-supplicant: Fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146

wpa-supplicant: backport patch to fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146 Backport patch to fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146. This patch is originally from: For CVE-2015-4141: http://w1.fi/security/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch For CVE-2015-4143: http://w1.fi/security/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch http://w1.fi/security/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch For CVE-2015-4144 and CVE-2015-4145: http://w1.fi/security/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch http://w1.fi/security/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch For CVE-2015-4146: http://w1.fi/security/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch (From OE-Core rev: ce16e95de05db24e4e4132660d793cc7b1d890b9) Signed-off-by: Fan Xin <fan.xin at jp.fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Fan Xin <fan.xin@jp.fujitsu.com> 2015-08-05 11:41:32 +0900
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-08-09 00:13:59 -0700
commit: d31f89bd816cd8b2160acac2af70d9d5f13b3b5c (patch)
tree: 1b8dddf8999e50e5a366fb97afe72e289aaecda9 /meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
parent: 177d463a8ae2e2fdffe1b3ad33d48c9f84c9d435 (diff)
download: poky-d31f89bd816cd8b2160acac2af70d9d5f13b3b5c.tar.gz
1 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
new file mode 100644
index 0000000000..c477c2f93c
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
@@ -0,0 +1,70 @@
+Upstream-Status: Backport
+Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
+From e28a58be26184c2a23f80b410e0997ef1bd5d578 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 1 May 2015 16:40:44 +0300
+Subject: [PATCH 2/5] EAP-pwd server: Fix payload length validation for Commit
+ and Confirm
+The length of the received Commit and Confirm message payloads was not
+checked before reading them. This could result in a buffer read
+overflow when processing an invalid message.
+Fix this by verifying that the payload is of expected length before
+processing it. In addition, enforce correct state transition sequence to
+make sure there is no unexpected behavior if receiving a Commit/Confirm
+message before the previous exchanges have been completed.
+Thanks to Kostya Kortchinsky of Google security team for discovering and
+reporting this issue.
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_server/eap_server_pwd.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
+index 66bd5d2..3189105 100644
+--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
+@@ -656,9 +656,21 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+        BIGNUM *x = NULL, *y = NULL, *cofactor = NULL;
+        EC_POINT *K = NULL, *point = NULL;
+        int res = 0;
+       size_t prime_len, order_len;
+ 
+        wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response");
+ 
+       prime_len = BN_num_bytes(data->grp->prime);
+       order_len = BN_num_bytes(data->grp->order);
+
+       if (payload_len != 2 * prime_len + order_len) {
+               wpa_printf(MSG_INFO,
+                          "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
+                          (unsigned int) payload_len,
+                          (unsigned int) (2 * prime_len + order_len));
+               goto fin;
+       }
+
+        if (((data->peer_scalar = BN_new()) == NULL) ||
+            ((data->k = BN_new()) == NULL) ||
+            ((cofactor = BN_new()) == NULL) ||
+@@ -774,6 +786,13 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+        u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
+        int offset;
+ 
+       if (payload_len != SHA256_MAC_LEN) {
+               wpa_printf(MSG_INFO,
+                          "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
+                          (unsigned int) payload_len, SHA256_MAC_LEN);
+               goto fin;
+       }
+
+        /* build up the ciphersuite: group | random_function | prf */
+        grp = htons(data->group_num);
+        ptr = (u8 *) &cs;
+-- 
+1.9.1
author	Fan Xin <fan.xin@jp.fujitsu.com>	2015-08-05 11:41:32 +0900
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-08-09 00:13:59 -0700
commit	d31f89bd816cd8b2160acac2af70d9d5f13b3b5c (patch)
tree	1b8dddf8999e50e5a366fb97afe72e289aaecda9 /meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
parent	177d463a8ae2e2fdffe1b3ad33d48c9f84c9d435 (diff)
download	poky-d31f89bd816cd8b2160acac2af70d9d5f13b3b5c.tar.gz

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch new file mode 100644 index 0000000000..c477c2f93c --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
@@ -0,0 +1,70 @@
	1	Upstream-Status: Backport
	2
	3	Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
	4
	5	From e28a58be26184c2a23f80b410e0997ef1bd5d578 Mon Sep 17 00:00:00 2001
	6	From: Jouni Malinen <j@w1.fi>
	7	Date: Fri, 1 May 2015 16:40:44 +0300
	8	Subject: [PATCH 2/5] EAP-pwd server: Fix payload length validation for Commit
	9	and Confirm
	10
	11	The length of the received Commit and Confirm message payloads was not
	12	checked before reading them. This could result in a buffer read
	13	overflow when processing an invalid message.
	14
	15	Fix this by verifying that the payload is of expected length before
	16	processing it. In addition, enforce correct state transition sequence to
	17	make sure there is no unexpected behavior if receiving a Commit/Confirm
	18	message before the previous exchanges have been completed.
	19
	20	Thanks to Kostya Kortchinsky of Google security team for discovering and
	21	reporting this issue.
	22
	23	Signed-off-by: Jouni Malinen <j@w1.fi>
	24	---
	25	src/eap_server/eap_server_pwd.c \| 19 +++++++++++++++++++
	26	1 file changed, 19 insertions(+)
	27
	28	diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
	29	index 66bd5d2..3189105 100644
	30	--- a/src/eap_server/eap_server_pwd.c
	31	+++ b/src/eap_server/eap_server_pwd.c
	32	@@ -656,9 +656,21 @@ eap_pwd_process_commit_resp(struct eap_sm sm, struct eap_pwd_data data,
	33	BIGNUM x = NULL, y = NULL, *cofactor = NULL;
	34	EC_POINT K = NULL, point = NULL;
	35	int res = 0;
	36	+ size_t prime_len, order_len;
	37
	38	wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response");
	39
	40	+ prime_len = BN_num_bytes(data->grp->prime);
	41	+ order_len = BN_num_bytes(data->grp->order);
	42	+
	43	+ if (payload_len != 2 * prime_len + order_len) {
	44	+ wpa_printf(MSG_INFO,
	45	+ "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
	46	+ (unsigned int) payload_len,
	47	+ (unsigned int) (2 * prime_len + order_len));
	48	+ goto fin;
	49	+ }
	50	+
	51	if (((data->peer_scalar = BN_new()) == NULL) \|\|
	52	((data->k = BN_new()) == NULL) \|\|
	53	((cofactor = BN_new()) == NULL) \|\|
	54	@@ -774,6 +786,13 @@ eap_pwd_process_confirm_resp(struct eap_sm sm, struct eap_pwd_data data,
	55	u8 conf[SHA256_MAC_LEN], cruft = NULL, ptr;
	56	int offset;
	57
	58	+ if (payload_len != SHA256_MAC_LEN) {
	59	+ wpa_printf(MSG_INFO,
	60	+ "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
	61	+ (unsigned int) payload_len, SHA256_MAC_LEN);
	62	+ goto fin;
	63	+ }
	64	+
	65	/* build up the ciphersuite: group \| random_function \| prf */
	66	grp = htons(data->group_num);
	67	ptr = (u8 *) &cs;
	68	--
	69	1.9.1
	70