diff options
author | Fan Xin <fan.xin@jp.fujitsu.com> | 2015-08-05 11:41:32 +0900 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-09-01 21:19:40 +0100 |
commit | 982baf1130c41455fc3687fb5647a568742342bb (patch) | |
tree | 75a0e179d92ac32ac4d10cfbdc98c607d68f5268 /meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch | |
parent | 38f48913adfd640970a798a719fab6b8f1e888c5 (diff) | |
download | poky-982baf1130c41455fc3687fb5647a568742342bb.tar.gz |
wpa-supplicant: Fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146
wpa-supplicant: backport patch to fix CVE-2015-4141,
CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146
Backport patch to fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146.
This patch is originally from:
For CVE-2015-4141:
http://w1.fi/security/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
For CVE-2015-4143:
http://w1.fi/security/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
http://w1.fi/security/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
For CVE-2015-4144 and CVE-2015-4145:
http://w1.fi/security/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
http://w1.fi/security/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
For CVE-2015-4146:
http://w1.fi/security/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch
(From OE-Core master rev: ce16e95de05db24e4e4132660d793cc7b1d890b9)
(From OE-Core rev: b236c0882d62d8aa722117a54c1ff9edec7f5a6d)
Signed-off-by: Fan Xin <fan.xin at jp.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch')
-rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch new file mode 100644 index 0000000000..a4c02b4745 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Sat, 2 May 2015 19:26:06 +0300 | ||
8 | Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment | ||
9 | reassembly | ||
10 | |||
11 | The remaining number of bytes in the message could be smaller than the | ||
12 | Total-Length field size, so the length needs to be explicitly checked | ||
13 | prior to reading the field and decrementing the len variable. This could | ||
14 | have resulted in the remaining length becoming negative and interpreted | ||
15 | as a huge positive integer. | ||
16 | |||
17 | In addition, check that there is no already started fragment in progress | ||
18 | before allocating a new buffer for reassembling fragments. This avoid a | ||
19 | potential memory leak when processing invalid message. | ||
20 | |||
21 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
22 | --- | ||
23 | src/eap_server/eap_server_pwd.c | 10 ++++++++++ | ||
24 | 1 file changed, 10 insertions(+) | ||
25 | |||
26 | diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c | ||
27 | index 3189105..2bfc3c2 100644 | ||
28 | --- a/src/eap_server/eap_server_pwd.c | ||
29 | +++ b/src/eap_server/eap_server_pwd.c | ||
30 | @@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, | ||
31 | * the first fragment has a total length | ||
32 | */ | ||
33 | if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { | ||
34 | + if (len < 2) { | ||
35 | + wpa_printf(MSG_DEBUG, | ||
36 | + "EAP-pwd: Frame too short to contain Total-Length field"); | ||
37 | + return; | ||
38 | + } | ||
39 | tot_len = WPA_GET_BE16(pos); | ||
40 | wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total " | ||
41 | "length = %d", tot_len); | ||
42 | if (tot_len > 15000) | ||
43 | return; | ||
44 | + if (data->inbuf) { | ||
45 | + wpa_printf(MSG_DEBUG, | ||
46 | + "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); | ||
47 | + return; | ||
48 | + } | ||
49 | data->inbuf = wpabuf_alloc(tot_len); | ||
50 | if (data->inbuf == NULL) { | ||
51 | wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to " | ||
52 | -- | ||
53 | 1.9.1 | ||
54 | |||