wpa-supplicant: Fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146

wpa-supplicant: backport patch to fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146 Backport patch to fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146. This patch is originally from: For CVE-2015-4141: http://w1.fi/security/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch For CVE-2015-4143: http://w1.fi/security/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch http://w1.fi/security/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch For CVE-2015-4144 and CVE-2015-4145: http://w1.fi/security/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch http://w1.fi/security/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch For CVE-2015-4146: http://w1.fi/security/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch (From OE-Core rev: ce16e95de05db24e4e4132660d793cc7b1d890b9) Signed-off-by: Fan Xin <fan.xin at jp.fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Fan Xin <fan.xin@jp.fujitsu.com> 2015-08-05 11:41:32 +0900
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-08-09 00:13:59 -0700
commit: d31f89bd816cd8b2160acac2af70d9d5f13b3b5c (patch)
tree: 1b8dddf8999e50e5a366fb97afe72e289aaecda9 /meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch
parent: 177d463a8ae2e2fdffe1b3ad33d48c9f84c9d435 (diff)
download: poky-d31f89bd816cd8b2160acac2af70d9d5f13b3b5c.tar.gz
1 files changed, 36 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch
new file mode 100644
index 0000000000..4073600732
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch
@@ -0,0 +1,36 @@
+Upstream-Status: Backport
+Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
+From 28a069a545b06b99eb55ad53f63f2c99e65a98f6 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 2 May 2015 19:26:28 +0300
+Subject: [PATCH 5/5] EAP-pwd peer: Fix asymmetric fragmentation behavior
+The L (Length) and M (More) flags needs to be cleared before deciding
+whether the locally generated response requires fragmentation. This
+fixes an issue where these flags from the server could have been invalid
+for the following message. In some cases, this could have resulted in
+triggering the wpabuf security check that would terminate the process
+due to invalid buffer allocation.
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_peer/eap_pwd.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
+index 1d2079b..e58b13a 100644
+--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
+@@ -968,6 +968,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
+        /*
+         * we have output! Do we need to fragment it?
+         */
+       lm_exch = EAP_PWD_GET_EXCHANGE(lm_exch);
+        len = wpabuf_len(data->outbuf);
+        if ((len + EAP_PWD_HDR_SIZE) > data->mtu) {
+                resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, data->mtu,
+-- 
+1.9.1
author	Fan Xin <fan.xin@jp.fujitsu.com>	2015-08-05 11:41:32 +0900
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-08-09 00:13:59 -0700
commit	d31f89bd816cd8b2160acac2af70d9d5f13b3b5c (patch)
tree	1b8dddf8999e50e5a366fb97afe72e289aaecda9 /meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch
parent	177d463a8ae2e2fdffe1b3ad33d48c9f84c9d435 (diff)
download	poky-d31f89bd816cd8b2160acac2af70d9d5f13b3b5c.tar.gz

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch new file mode 100644 index 0000000000..4073600732 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch
@@ -0,0 +1,36 @@
	1	Upstream-Status: Backport
	2
	3	Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
	4
	5	From 28a069a545b06b99eb55ad53f63f2c99e65a98f6 Mon Sep 17 00:00:00 2001
	6	From: Jouni Malinen <j@w1.fi>
	7	Date: Sat, 2 May 2015 19:26:28 +0300
	8	Subject: [PATCH 5/5] EAP-pwd peer: Fix asymmetric fragmentation behavior
	9
	10	The L (Length) and M (More) flags needs to be cleared before deciding
	11	whether the locally generated response requires fragmentation. This
	12	fixes an issue where these flags from the server could have been invalid
	13	for the following message. In some cases, this could have resulted in
	14	triggering the wpabuf security check that would terminate the process
	15	due to invalid buffer allocation.
	16
	17	Signed-off-by: Jouni Malinen <j@w1.fi>
	18	---
	19	src/eap_peer/eap_pwd.c \| 1 +
	20	1 file changed, 1 insertion(+)
	21
	22	diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
	23	index 1d2079b..e58b13a 100644
	24	--- a/src/eap_peer/eap_pwd.c
	25	+++ b/src/eap_peer/eap_pwd.c
	26	@@ -968,6 +968,7 @@ eap_pwd_process(struct eap_sm sm, void priv, struct eap_method_ret *ret,
	27	/*
	28	* we have output! Do we need to fragment it?
	29	*/
	30	+ lm_exch = EAP_PWD_GET_EXCHANGE(lm_exch);
	31	len = wpabuf_len(data->outbuf);
	32	if ((len + EAP_PWD_HDR_SIZE) > data->mtu) {
	33	resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, data->mtu,
	34	--
	35	1.9.1
	36