diff options
author | Fan Xin <fan.xin@jp.fujitsu.com> | 2015-08-05 11:41:32 +0900 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-08-09 00:13:59 -0700 |
commit | d31f89bd816cd8b2160acac2af70d9d5f13b3b5c (patch) | |
tree | 1b8dddf8999e50e5a366fb97afe72e289aaecda9 /meta/recipes-connectivity/wpa-supplicant | |
parent | 177d463a8ae2e2fdffe1b3ad33d48c9f84c9d435 (diff) | |
download | poky-d31f89bd816cd8b2160acac2af70d9d5f13b3b5c.tar.gz |
wpa-supplicant: Fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146
wpa-supplicant: backport patch to fix CVE-2015-4141,
CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146
Backport patch to fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146.
This patch is originally from:
For CVE-2015-4141:
http://w1.fi/security/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
For CVE-2015-4143:
http://w1.fi/security/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
http://w1.fi/security/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
For CVE-2015-4144 and CVE-2015-4145:
http://w1.fi/security/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
http://w1.fi/security/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
For CVE-2015-4146:
http://w1.fi/security/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch
(From OE-Core rev: ce16e95de05db24e4e4132660d793cc7b1d890b9)
Signed-off-by: Fan Xin <fan.xin at jp.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant')
7 files changed, 352 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch new file mode 100644 index 0000000000..a2bafc8c46 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From dd2f043c9c43d156494e33d7ce22db96e6ef42c7 Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Fri, 1 May 2015 16:37:45 +0300 | ||
8 | Subject: [PATCH 1/5] EAP-pwd peer: Fix payload length validation for Commit | ||
9 | and Confirm | ||
10 | |||
11 | The length of the received Commit and Confirm message payloads was not | ||
12 | checked before reading them. This could result in a buffer read | ||
13 | overflow when processing an invalid message. | ||
14 | |||
15 | Fix this by verifying that the payload is of expected length before | ||
16 | processing it. In addition, enforce correct state transition sequence to | ||
17 | make sure there is no unexpected behavior if receiving a Commit/Confirm | ||
18 | message before the previous exchanges have been completed. | ||
19 | |||
20 | Thanks to Kostya Kortchinsky of Google security team for discovering and | ||
21 | reporting this issue. | ||
22 | |||
23 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
24 | --- | ||
25 | src/eap_peer/eap_pwd.c | 29 +++++++++++++++++++++++++++++ | ||
26 | 1 file changed, 29 insertions(+) | ||
27 | |||
28 | diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c | ||
29 | index f2b0926..a629437 100644 | ||
30 | --- a/src/eap_peer/eap_pwd.c | ||
31 | +++ b/src/eap_peer/eap_pwd.c | ||
32 | @@ -355,6 +355,23 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, | ||
33 | BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL; | ||
34 | u16 offset; | ||
35 | u8 *ptr, *scalar = NULL, *element = NULL; | ||
36 | + size_t prime_len, order_len; | ||
37 | + | ||
38 | + if (data->state != PWD_Commit_Req) { | ||
39 | + ret->ignore = TRUE; | ||
40 | + goto fin; | ||
41 | + } | ||
42 | + | ||
43 | + prime_len = BN_num_bytes(data->grp->prime); | ||
44 | + order_len = BN_num_bytes(data->grp->order); | ||
45 | + | ||
46 | + if (payload_len != 2 * prime_len + order_len) { | ||
47 | + wpa_printf(MSG_INFO, | ||
48 | + "EAP-pwd: Unexpected Commit payload length %u (expected %u)", | ||
49 | + (unsigned int) payload_len, | ||
50 | + (unsigned int) (2 * prime_len + order_len)); | ||
51 | + goto fin; | ||
52 | + } | ||
53 | |||
54 | if (((data->private_value = BN_new()) == NULL) || | ||
55 | ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) || | ||
56 | @@ -554,6 +571,18 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, | ||
57 | u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; | ||
58 | int offset; | ||
59 | |||
60 | + if (data->state != PWD_Confirm_Req) { | ||
61 | + ret->ignore = TRUE; | ||
62 | + goto fin; | ||
63 | + } | ||
64 | + | ||
65 | + if (payload_len != SHA256_MAC_LEN) { | ||
66 | + wpa_printf(MSG_INFO, | ||
67 | + "EAP-pwd: Unexpected Confirm payload length %u (expected %u)", | ||
68 | + (unsigned int) payload_len, SHA256_MAC_LEN); | ||
69 | + goto fin; | ||
70 | + } | ||
71 | + | ||
72 | /* | ||
73 | * first build up the ciphersuite which is group | random_function | | ||
74 | * prf | ||
75 | -- | ||
76 | 1.9.1 | ||
77 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch new file mode 100644 index 0000000000..2568ea1124 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Tue, 28 Apr 2015 17:08:33 +0300 | ||
8 | Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser | ||
9 | |||
10 | strtoul() return value may end up overflowing the int h->chunk_size and | ||
11 | resulting in a negative value to be stored as the chunk_size. This could | ||
12 | result in the following memcpy operation using a very large length | ||
13 | argument which would result in a buffer overflow and segmentation fault. | ||
14 | |||
15 | This could have been used to cause a denial service by any device that | ||
16 | has been authorized for network access (either wireless or wired). This | ||
17 | would affect both the WPS UPnP functionality in a WPS AP (hostapd with | ||
18 | upnp_iface parameter set in the configuration) and WPS ER | ||
19 | (wpa_supplicant with WPS_ER_START control interface command used). | ||
20 | |||
21 | Validate the parsed chunk length value to avoid this. In addition to | ||
22 | rejecting negative values, we can also reject chunk size that would be | ||
23 | larger than the maximum configured body length. | ||
24 | |||
25 | Thanks to Kostya Kortchinsky of Google security team for discovering and | ||
26 | reporting this issue. | ||
27 | |||
28 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
29 | --- | ||
30 | src/wps/httpread.c | 7 +++++++ | ||
31 | 1 file changed, 7 insertions(+) | ||
32 | |||
33 | diff --git a/src/wps/httpread.c b/src/wps/httpread.c | ||
34 | index 2f08f37..d2855e3 100644 | ||
35 | --- a/src/wps/httpread.c | ||
36 | +++ b/src/wps/httpread.c | ||
37 | @@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx) | ||
38 | if (!isxdigit(*cbp)) | ||
39 | goto bad; | ||
40 | h->chunk_size = strtoul(cbp, NULL, 16); | ||
41 | + if (h->chunk_size < 0 || | ||
42 | + h->chunk_size > h->max_bytes) { | ||
43 | + wpa_printf(MSG_DEBUG, | ||
44 | + "httpread: Invalid chunk size %d", | ||
45 | + h->chunk_size); | ||
46 | + goto bad; | ||
47 | + } | ||
48 | /* throw away chunk header | ||
49 | * so we have only real data | ||
50 | */ | ||
51 | -- | ||
52 | 1.9.1 | ||
53 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch new file mode 100644 index 0000000000..c477c2f93c --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From e28a58be26184c2a23f80b410e0997ef1bd5d578 Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Fri, 1 May 2015 16:40:44 +0300 | ||
8 | Subject: [PATCH 2/5] EAP-pwd server: Fix payload length validation for Commit | ||
9 | and Confirm | ||
10 | |||
11 | The length of the received Commit and Confirm message payloads was not | ||
12 | checked before reading them. This could result in a buffer read | ||
13 | overflow when processing an invalid message. | ||
14 | |||
15 | Fix this by verifying that the payload is of expected length before | ||
16 | processing it. In addition, enforce correct state transition sequence to | ||
17 | make sure there is no unexpected behavior if receiving a Commit/Confirm | ||
18 | message before the previous exchanges have been completed. | ||
19 | |||
20 | Thanks to Kostya Kortchinsky of Google security team for discovering and | ||
21 | reporting this issue. | ||
22 | |||
23 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
24 | --- | ||
25 | src/eap_server/eap_server_pwd.c | 19 +++++++++++++++++++ | ||
26 | 1 file changed, 19 insertions(+) | ||
27 | |||
28 | diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c | ||
29 | index 66bd5d2..3189105 100644 | ||
30 | --- a/src/eap_server/eap_server_pwd.c | ||
31 | +++ b/src/eap_server/eap_server_pwd.c | ||
32 | @@ -656,9 +656,21 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, | ||
33 | BIGNUM *x = NULL, *y = NULL, *cofactor = NULL; | ||
34 | EC_POINT *K = NULL, *point = NULL; | ||
35 | int res = 0; | ||
36 | + size_t prime_len, order_len; | ||
37 | |||
38 | wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response"); | ||
39 | |||
40 | + prime_len = BN_num_bytes(data->grp->prime); | ||
41 | + order_len = BN_num_bytes(data->grp->order); | ||
42 | + | ||
43 | + if (payload_len != 2 * prime_len + order_len) { | ||
44 | + wpa_printf(MSG_INFO, | ||
45 | + "EAP-pwd: Unexpected Commit payload length %u (expected %u)", | ||
46 | + (unsigned int) payload_len, | ||
47 | + (unsigned int) (2 * prime_len + order_len)); | ||
48 | + goto fin; | ||
49 | + } | ||
50 | + | ||
51 | if (((data->peer_scalar = BN_new()) == NULL) || | ||
52 | ((data->k = BN_new()) == NULL) || | ||
53 | ((cofactor = BN_new()) == NULL) || | ||
54 | @@ -774,6 +786,13 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, | ||
55 | u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; | ||
56 | int offset; | ||
57 | |||
58 | + if (payload_len != SHA256_MAC_LEN) { | ||
59 | + wpa_printf(MSG_INFO, | ||
60 | + "EAP-pwd: Unexpected Confirm payload length %u (expected %u)", | ||
61 | + (unsigned int) payload_len, SHA256_MAC_LEN); | ||
62 | + goto fin; | ||
63 | + } | ||
64 | + | ||
65 | /* build up the ciphersuite: group | random_function | prf */ | ||
66 | grp = htons(data->group_num); | ||
67 | ptr = (u8 *) &cs; | ||
68 | -- | ||
69 | 1.9.1 | ||
70 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch new file mode 100644 index 0000000000..e46ce436e1 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From 477c74395acd0123340457ba6f15ab345d42016e Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Sat, 2 May 2015 19:23:04 +0300 | ||
8 | Subject: [PATCH 3/5] EAP-pwd peer: Fix Total-Length parsing for fragment | ||
9 | reassembly | ||
10 | |||
11 | The remaining number of bytes in the message could be smaller than the | ||
12 | Total-Length field size, so the length needs to be explicitly checked | ||
13 | prior to reading the field and decrementing the len variable. This could | ||
14 | have resulted in the remaining length becoming negative and interpreted | ||
15 | as a huge positive integer. | ||
16 | |||
17 | In addition, check that there is no already started fragment in progress | ||
18 | before allocating a new buffer for reassembling fragments. This avoid a | ||
19 | potential memory leak when processing invalid message. | ||
20 | |||
21 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
22 | --- | ||
23 | src/eap_peer/eap_pwd.c | 12 ++++++++++++ | ||
24 | 1 file changed, 12 insertions(+) | ||
25 | |||
26 | diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c | ||
27 | index a629437..1d2079b 100644 | ||
28 | --- a/src/eap_peer/eap_pwd.c | ||
29 | +++ b/src/eap_peer/eap_pwd.c | ||
30 | @@ -866,11 +866,23 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, | ||
31 | * if it's the first fragment there'll be a length field | ||
32 | */ | ||
33 | if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { | ||
34 | + if (len < 2) { | ||
35 | + wpa_printf(MSG_DEBUG, | ||
36 | + "EAP-pwd: Frame too short to contain Total-Length field"); | ||
37 | + ret->ignore = TRUE; | ||
38 | + return NULL; | ||
39 | + } | ||
40 | tot_len = WPA_GET_BE16(pos); | ||
41 | wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose " | ||
42 | "total length = %d", tot_len); | ||
43 | if (tot_len > 15000) | ||
44 | return NULL; | ||
45 | + if (data->inbuf) { | ||
46 | + wpa_printf(MSG_DEBUG, | ||
47 | + "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); | ||
48 | + ret->ignore = TRUE; | ||
49 | + return NULL; | ||
50 | + } | ||
51 | data->inbuf = wpabuf_alloc(tot_len); | ||
52 | if (data->inbuf == NULL) { | ||
53 | wpa_printf(MSG_INFO, "Out of memory to buffer " | ||
54 | -- | ||
55 | 1.9.1 | ||
56 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch new file mode 100644 index 0000000000..a4c02b4745 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Sat, 2 May 2015 19:26:06 +0300 | ||
8 | Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment | ||
9 | reassembly | ||
10 | |||
11 | The remaining number of bytes in the message could be smaller than the | ||
12 | Total-Length field size, so the length needs to be explicitly checked | ||
13 | prior to reading the field and decrementing the len variable. This could | ||
14 | have resulted in the remaining length becoming negative and interpreted | ||
15 | as a huge positive integer. | ||
16 | |||
17 | In addition, check that there is no already started fragment in progress | ||
18 | before allocating a new buffer for reassembling fragments. This avoid a | ||
19 | potential memory leak when processing invalid message. | ||
20 | |||
21 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
22 | --- | ||
23 | src/eap_server/eap_server_pwd.c | 10 ++++++++++ | ||
24 | 1 file changed, 10 insertions(+) | ||
25 | |||
26 | diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c | ||
27 | index 3189105..2bfc3c2 100644 | ||
28 | --- a/src/eap_server/eap_server_pwd.c | ||
29 | +++ b/src/eap_server/eap_server_pwd.c | ||
30 | @@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, | ||
31 | * the first fragment has a total length | ||
32 | */ | ||
33 | if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { | ||
34 | + if (len < 2) { | ||
35 | + wpa_printf(MSG_DEBUG, | ||
36 | + "EAP-pwd: Frame too short to contain Total-Length field"); | ||
37 | + return; | ||
38 | + } | ||
39 | tot_len = WPA_GET_BE16(pos); | ||
40 | wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total " | ||
41 | "length = %d", tot_len); | ||
42 | if (tot_len > 15000) | ||
43 | return; | ||
44 | + if (data->inbuf) { | ||
45 | + wpa_printf(MSG_DEBUG, | ||
46 | + "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); | ||
47 | + return; | ||
48 | + } | ||
49 | data->inbuf = wpabuf_alloc(tot_len); | ||
50 | if (data->inbuf == NULL) { | ||
51 | wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to " | ||
52 | -- | ||
53 | 1.9.1 | ||
54 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch new file mode 100644 index 0000000000..4073600732 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From 28a069a545b06b99eb55ad53f63f2c99e65a98f6 Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Sat, 2 May 2015 19:26:28 +0300 | ||
8 | Subject: [PATCH 5/5] EAP-pwd peer: Fix asymmetric fragmentation behavior | ||
9 | |||
10 | The L (Length) and M (More) flags needs to be cleared before deciding | ||
11 | whether the locally generated response requires fragmentation. This | ||
12 | fixes an issue where these flags from the server could have been invalid | ||
13 | for the following message. In some cases, this could have resulted in | ||
14 | triggering the wpabuf security check that would terminate the process | ||
15 | due to invalid buffer allocation. | ||
16 | |||
17 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
18 | --- | ||
19 | src/eap_peer/eap_pwd.c | 1 + | ||
20 | 1 file changed, 1 insertion(+) | ||
21 | |||
22 | diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c | ||
23 | index 1d2079b..e58b13a 100644 | ||
24 | --- a/src/eap_peer/eap_pwd.c | ||
25 | +++ b/src/eap_peer/eap_pwd.c | ||
26 | @@ -968,6 +968,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, | ||
27 | /* | ||
28 | * we have output! Do we need to fragment it? | ||
29 | */ | ||
30 | + lm_exch = EAP_PWD_GET_EXCHANGE(lm_exch); | ||
31 | len = wpabuf_len(data->outbuf); | ||
32 | if ((len + EAP_PWD_HDR_SIZE) > data->mtu) { | ||
33 | resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, data->mtu, | ||
34 | -- | ||
35 | 1.9.1 | ||
36 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb index ebae23922e..0186c2be3d 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb | |||
@@ -25,6 +25,12 @@ SRC_URI = "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz \ | |||
25 | file://wpa_supplicant.conf-sane \ | 25 | file://wpa_supplicant.conf-sane \ |
26 | file://99_wpa_supplicant \ | 26 | file://99_wpa_supplicant \ |
27 | file://0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch \ | 27 | file://0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch \ |
28 | file://0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch \ | ||
29 | file://0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch \ | ||
30 | file://0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch \ | ||
31 | file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch \ | ||
32 | file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch \ | ||
33 | file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \ | ||
28 | " | 34 | " |
29 | SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d" | 35 | SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d" |
30 | SRC_URI[sha256sum] = "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122" | 36 | SRC_URI[sha256sum] = "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122" |