wpa-supplicant: Fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146

wpa-supplicant: backport patch to fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146 Backport patch to fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146. This patch is originally from: For CVE-2015-4141: http://w1.fi/security/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch For CVE-2015-4143: http://w1.fi/security/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch http://w1.fi/security/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch For CVE-2015-4144 and CVE-2015-4145: http://w1.fi/security/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch http://w1.fi/security/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch For CVE-2015-4146: http://w1.fi/security/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch (From OE-Core master rev: ce16e95de05db24e4e4132660d793cc7b1d890b9) (From OE-Core rev: b236c0882d62d8aa722117a54c1ff9edec7f5a6d) Signed-off-by: Fan Xin <fan.xin at jp.fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Fan Xin <fan.xin@jp.fujitsu.com> 2015-08-05 11:41:32 +0900
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-09-01 21:19:40 +0100
commit: 982baf1130c41455fc3687fb5647a568742342bb (patch)
tree: 75a0e179d92ac32ac4d10cfbdc98c607d68f5268 /meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
parent: 38f48913adfd640970a798a719fab6b8f1e888c5 (diff)
download: poky-982baf1130c41455fc3687fb5647a568742342bb.tar.gz
1 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
new file mode 100644
index 0000000000..a4c02b4745
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
@@ -0,0 +1,54 @@
+Upstream-Status: Backport
+Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
+From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 2 May 2015 19:26:06 +0300
+Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment
+ reassembly
+The remaining number of bytes in the message could be smaller than the
+Total-Length field size, so the length needs to be explicitly checked
+prior to reading the field and decrementing the len variable. This could
+have resulted in the remaining length becoming negative and interpreted
+as a huge positive integer.
+In addition, check that there is no already started fragment in progress
+before allocating a new buffer for reassembling fragments. This avoid a
+potential memory leak when processing invalid message.
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_server/eap_server_pwd.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
+index 3189105..2bfc3c2 100644
+--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
+@@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
+         * the first fragment has a total length
+         */
+        if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
+               if (len < 2) {
+                       wpa_printf(MSG_DEBUG,
+                                  "EAP-pwd: Frame too short to contain Total-Length field");
+                       return;
+               }
+                tot_len = WPA_GET_BE16(pos);
+                wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total "
+                           "length = %d", tot_len);
+                if (tot_len > 15000)
+                        return;
+               if (data->inbuf) {
+                       wpa_printf(MSG_DEBUG,
+                                  "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
+                       return;
+               }
+                data->inbuf = wpabuf_alloc(tot_len);
+                if (data->inbuf == NULL) {
+                        wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "
+-- 
+1.9.1
author	Fan Xin <fan.xin@jp.fujitsu.com>	2015-08-05 11:41:32 +0900
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-09-01 21:19:40 +0100
commit	982baf1130c41455fc3687fb5647a568742342bb (patch)
tree	75a0e179d92ac32ac4d10cfbdc98c607d68f5268 /meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
parent	38f48913adfd640970a798a719fab6b8f1e888c5 (diff)
download	poky-982baf1130c41455fc3687fb5647a568742342bb.tar.gz

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch new file mode 100644 index 0000000000..a4c02b4745 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
@@ -0,0 +1,54 @@
	1	Upstream-Status: Backport
	2
	3	Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
	4
	5	From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001
	6	From: Jouni Malinen <j@w1.fi>
	7	Date: Sat, 2 May 2015 19:26:06 +0300
	8	Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment
	9	reassembly
	10
	11	The remaining number of bytes in the message could be smaller than the
	12	Total-Length field size, so the length needs to be explicitly checked
	13	prior to reading the field and decrementing the len variable. This could
	14	have resulted in the remaining length becoming negative and interpreted
	15	as a huge positive integer.
	16
	17	In addition, check that there is no already started fragment in progress
	18	before allocating a new buffer for reassembling fragments. This avoid a
	19	potential memory leak when processing invalid message.
	20
	21	Signed-off-by: Jouni Malinen <j@w1.fi>
	22	---
	23	src/eap_server/eap_server_pwd.c \| 10 ++++++++++
	24	1 file changed, 10 insertions(+)
	25
	26	diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
	27	index 3189105..2bfc3c2 100644
	28	--- a/src/eap_server/eap_server_pwd.c
	29	+++ b/src/eap_server/eap_server_pwd.c
	30	@@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm sm, void priv,
	31	* the first fragment has a total length
	32	*/
	33	if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
	34	+ if (len < 2) {
	35	+ wpa_printf(MSG_DEBUG,
	36	+ "EAP-pwd: Frame too short to contain Total-Length field");
	37	+ return;
	38	+ }
	39	tot_len = WPA_GET_BE16(pos);
	40	wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total "
	41	"length = %d", tot_len);
	42	if (tot_len > 15000)
	43	return;
	44	+ if (data->inbuf) {
	45	+ wpa_printf(MSG_DEBUG,
	46	+ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
	47	+ return;
	48	+ }
	49	data->inbuf = wpabuf_alloc(tot_len);
	50	if (data->inbuf == NULL) {
	51	wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "
	52	--
	53	1.9.1
	54