diff options
author | Fan Xin <fan.xin@jp.fujitsu.com> | 2015-08-05 11:41:32 +0900 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-09-01 21:19:40 +0100 |
commit | 982baf1130c41455fc3687fb5647a568742342bb (patch) | |
tree | 75a0e179d92ac32ac4d10cfbdc98c607d68f5268 /meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch | |
parent | 38f48913adfd640970a798a719fab6b8f1e888c5 (diff) | |
download | poky-982baf1130c41455fc3687fb5647a568742342bb.tar.gz |
wpa-supplicant: Fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146
wpa-supplicant: backport patch to fix CVE-2015-4141,
CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146
Backport patch to fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146.
This patch is originally from:
For CVE-2015-4141:
http://w1.fi/security/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
For CVE-2015-4143:
http://w1.fi/security/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
http://w1.fi/security/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
For CVE-2015-4144 and CVE-2015-4145:
http://w1.fi/security/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
http://w1.fi/security/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
For CVE-2015-4146:
http://w1.fi/security/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch
(From OE-Core master rev: ce16e95de05db24e4e4132660d793cc7b1d890b9)
(From OE-Core rev: b236c0882d62d8aa722117a54c1ff9edec7f5a6d)
Signed-off-by: Fan Xin <fan.xin at jp.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch')
-rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch new file mode 100644 index 0000000000..4073600732 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From 28a069a545b06b99eb55ad53f63f2c99e65a98f6 Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Sat, 2 May 2015 19:26:28 +0300 | ||
8 | Subject: [PATCH 5/5] EAP-pwd peer: Fix asymmetric fragmentation behavior | ||
9 | |||
10 | The L (Length) and M (More) flags needs to be cleared before deciding | ||
11 | whether the locally generated response requires fragmentation. This | ||
12 | fixes an issue where these flags from the server could have been invalid | ||
13 | for the following message. In some cases, this could have resulted in | ||
14 | triggering the wpabuf security check that would terminate the process | ||
15 | due to invalid buffer allocation. | ||
16 | |||
17 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
18 | --- | ||
19 | src/eap_peer/eap_pwd.c | 1 + | ||
20 | 1 file changed, 1 insertion(+) | ||
21 | |||
22 | diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c | ||
23 | index 1d2079b..e58b13a 100644 | ||
24 | --- a/src/eap_peer/eap_pwd.c | ||
25 | +++ b/src/eap_peer/eap_pwd.c | ||
26 | @@ -968,6 +968,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, | ||
27 | /* | ||
28 | * we have output! Do we need to fragment it? | ||
29 | */ | ||
30 | + lm_exch = EAP_PWD_GET_EXCHANGE(lm_exch); | ||
31 | len = wpabuf_len(data->outbuf); | ||
32 | if ((len + EAP_PWD_HDR_SIZE) > data->mtu) { | ||
33 | resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, data->mtu, | ||
34 | -- | ||
35 | 1.9.1 | ||
36 | |||