wpa-supplicant: Fix CVE-2015-4142

wpa-supplicant: backport patch to fix CVE-2015-4142 Backport patch to fix CVE-2015-4142. This patch is originally from: http://w1.fi/security/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch (From OE-Core rev: 61f2a6a18dcda22d7b0e236f9150674bff2764a7) Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: fan.xin <fan.xin@jp.fujitsu.com> 2015-06-30 11:21:55 +0900
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-07-01 15:40:00 +0100
commit: 563269fd1e326d099051720275682afd9a813857 (patch)
tree: 6de2623c08524d2b3fbf6cd36027e6696a311581 /meta/recipes-connectivity/wpa-supplicant
parent: 63873d02c0b530d4f55e1bea9e0150c426ccb59e (diff)
download: poky-563269fd1e326d099051720275682afd9a813857.tar.gz
1 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
new file mode 100644
index 0000000000..882674fe5b
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
@@ -0,0 +1,45 @@
+Upstream-Status: Backport
+Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
+From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Wed, 29 Apr 2015 02:21:53 +0300
+Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
+The length of the WMM Action frame was not properly validated and the
+length of the information elements (int left) could end up being
+negative. This would result in reading significantly past the stack
+buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
+so, resulting in segmentation fault.
+This can result in an invalid frame being used for a denial of service
+attack (hostapd process killed) against an AP with a driver that uses
+hostapd for management frame processing (e.g., all mac80211-based
+drivers).
+Thanks to Kostya Kortchinsky of Google security team for discovering and
+reporting this issue.
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/wmm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/src/ap/wmm.c b/src/ap/wmm.c
+index 6d4177c..314e244 100644
+--- a/src/ap/wmm.c
+++ b/src/ap/wmm.c
+@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd,
+                return;
+        }
+ 
+       if (left < 0)
+               return; /* not a valid WMM Action frame */
+
+        /* extract the tspec info element */
+        if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
+                hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
+-- 
+1.9.1
author	fan.xin <fan.xin@jp.fujitsu.com>	2015-06-30 11:21:55 +0900
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-07-01 15:40:00 +0100
commit	563269fd1e326d099051720275682afd9a813857 (patch)
tree	6de2623c08524d2b3fbf6cd36027e6696a311581 /meta/recipes-connectivity/wpa-supplicant
parent	63873d02c0b530d4f55e1bea9e0150c426ccb59e (diff)
download	poky-563269fd1e326d099051720275682afd9a813857.tar.gz

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch new file mode 100644 index 0000000000..882674fe5b --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
@@ -0,0 +1,45 @@
	1	Upstream-Status: Backport
	2
	3	Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
	4
	5	From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
	6	From: Jouni Malinen <j@w1.fi>
	7	Date: Wed, 29 Apr 2015 02:21:53 +0300
	8	Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
	9
	10	The length of the WMM Action frame was not properly validated and the
	11	length of the information elements (int left) could end up being
	12	negative. This would result in reading significantly past the stack
	13	buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
	14	so, resulting in segmentation fault.
	15
	16	This can result in an invalid frame being used for a denial of service
	17	attack (hostapd process killed) against an AP with a driver that uses
	18	hostapd for management frame processing (e.g., all mac80211-based
	19	drivers).
	20
	21	Thanks to Kostya Kortchinsky of Google security team for discovering and
	22	reporting this issue.
	23
	24	Signed-off-by: Jouni Malinen <j@w1.fi>
	25	---
	26	src/ap/wmm.c \| 3 +++
	27	1 file changed, 3 insertions(+)
	28
	29	diff --git a/src/ap/wmm.c b/src/ap/wmm.c
	30	index 6d4177c..314e244 100644
	31	--- a/src/ap/wmm.c
	32	+++ b/src/ap/wmm.c
	33	@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd,
	34	return;
	35	}
	36
	37	+ if (left < 0)
	38	+ return; /* not a valid WMM Action frame */
	39	+
	40	/* extract the tspec info element */
	41	if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
	42	hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
	43	--
	44	1.9.1
	45