wpa-supplicant: Security fix CVE-2020-12695

Source: http://w1.fi/security/ Disposition: Backport from http://w1.fi/security/2020-1/ Affects <= 2.9 wpa-supplicant (From OE-Core rev: e9c696397ae1b4344b8329a13076f265980ee74d) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2020-06-25 21:17:36 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-06-28 08:35:59 +0100
commit: 3125cfe84a2c00cdae16d7276beae8ec5bf876c5 (patch)
tree: e19e5539c0d768d0e8f3802bc7016fc8516ac5cd /meta/recipes-connectivity
parent: 59b75aba7da3831357b00f413176412a3db615db (diff)
download: poky-3125cfe84a2c00cdae16d7276beae8ec5bf876c5.tar.gz
4 files changed, 267 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
new file mode 100644
index 0000000000..53ad5d028a
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
@@ -0,0 +1,151 @@
+From 5b78c8f961f25f4dc22d6f2b77ddd06d712cec63 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 3 Jun 2020 23:17:35 +0300
+Subject: [PATCH 1/3] WPS UPnP: Do not allow event subscriptions with URLs to
+ other networks
+The UPnP Device Architecture 2.0 specification errata ("UDA errata
+16-04-2020.docx") addresses a problem with notifications being allowed
+to go out to other domains by disallowing such cases. Do such filtering
+for the notification callback URLs to avoid undesired connections to
+external networks based on subscriptions that any device in the local
+network could request when WPS support for external registrars is
+enabled (the upnp_iface parameter in hostapd configuration).
+Upstream-Status: Backport
+CVE: CVE-2020-12695 patch #1
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/wps/wps_er.c     |  2 +-
+ src/wps/wps_upnp.c   | 38 ++++++++++++++++++++++++++++++++++++--
+ src/wps/wps_upnp_i.h |  3 ++-
+ 3 files changed, 39 insertions(+), 4 deletions(-)
+Index: wpa_supplicant-2.9/src/wps/wps_er.c
+===================================================================
+--- wpa_supplicant-2.9.orig/src/wps/wps_er.c
+++ wpa_supplicant-2.9/src/wps/wps_er.c
+@@ -1298,7 +1298,7 @@ wps_er_init(struct wps_context *wps, con
+                           "with %s", filter);
+        }
+        if (get_netif_info(er->ifname, &er->ip_addr, &er->ip_addr_text,
+-                          er->mac_addr)) {
+                          NULL, er->mac_addr)) {
+                wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
+                           "for %s. Does it have IP address?", er->ifname);
+                wps_er_deinit(er, NULL, NULL);
+Index: wpa_supplicant-2.9/src/wps/wps_upnp.c
+===================================================================
+--- wpa_supplicant-2.9.orig/src/wps/wps_upnp.c
+++ wpa_supplicant-2.9/src/wps/wps_upnp.c
+@@ -303,6 +303,14 @@ static void subscr_addr_free_all(struct
+ }
+static int local_network_addr(struct upnp_wps_device_sm *sm,
+                             struct sockaddr_in *addr)
+{
+       return (addr->sin_addr.s_addr & sm->netmask.s_addr) ==
+               (sm->ip_addr & sm->netmask.s_addr);
+}
+
+
+ /* subscr_addr_add_url -- add address(es) for one url to subscription */
+ static void subscr_addr_add_url(struct subscription *s, const char *url,
+                                size_t url_len)
+@@ -381,6 +389,7 @@ static void subscr_addr_add_url(struct s
+        for (rp = result; rp; rp = rp->ai_next) {
+                struct subscr_addr *a;
+               struct sockaddr_in *addr = (struct sockaddr_in *) rp->ai_addr;
+                /* Limit no. of address to avoid denial of service attack */
+                if (dl_list_len(&s->addr_list) >= MAX_ADDR_PER_SUBSCRIPTION) {
+@@ -389,6 +398,13 @@ static void subscr_addr_add_url(struct s
+                        break;
+                }
+               if (!local_network_addr(s->sm, addr)) {
+                       wpa_printf(MSG_INFO,
+                                  "WPS UPnP: Ignore a delivery URL that points to another network %s",
+                                  inet_ntoa(addr->sin_addr));
+                       continue;
+               }
+
+                a = os_zalloc(sizeof(*a) + alloc_len);
+                if (a == NULL)
+                        break;
+@@ -889,11 +905,12 @@ static int eth_get(const char *device, u
+  * @net_if: Selected network interface name
+  * @ip_addr: Buffer for returning IP address in network byte order
+  * @ip_addr_text: Buffer for returning a pointer to allocated IP address text
+ * @netmask: Buffer for returning netmask or %NULL if not needed
+  * @mac: Buffer for returning MAC address
+  * Returns: 0 on success, -1 on failure
+  */
+ int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
+-                  u8 mac[ETH_ALEN])
+                  struct in_addr *netmask, u8 mac[ETH_ALEN])
+ {
+        struct ifreq req;
+        int sock = -1;
+@@ -919,6 +936,19 @@ int get_netif_info(const char *net_if, u
+        in_addr.s_addr = *ip_addr;
+        os_snprintf(*ip_addr_text, 16, "%s", inet_ntoa(in_addr));
+       if (netmask) {
+               os_memset(&req, 0, sizeof(req));
+               os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
+               if (ioctl(sock, SIOCGIFNETMASK, &req) < 0) {
+                       wpa_printf(MSG_ERROR,
+                                  "WPS UPnP: SIOCGIFNETMASK failed: %d (%s)",
+                                  errno, strerror(errno));
+                       goto fail;
+               }
+               addr = (struct sockaddr_in *) &req.ifr_netmask;
+               netmask->s_addr = addr->sin_addr.s_addr;
+       }
+
+ #ifdef __linux__
+        os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
+        if (ioctl(sock, SIOCGIFHWADDR, &req) < 0) {
+@@ -1025,11 +1055,15 @@ static int upnp_wps_device_start(struct
+        /* Determine which IP and mac address we're using */
+        if (get_netif_info(net_if, &sm->ip_addr, &sm->ip_addr_text,
+-                          sm->mac_addr)) {
+                          &sm->netmask, sm->mac_addr)) {
+                wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
+                           "for %s. Does it have IP address?", net_if);
+                goto fail;
+        }
+       wpa_printf(MSG_DEBUG, "WPS UPnP: Local IP address %s netmask %s hwaddr "
+                  MACSTR,
+                  sm->ip_addr_text, inet_ntoa(sm->netmask),
+                  MAC2STR(sm->mac_addr));
+        /* Listen for incoming TCP connections so that others
+         * can fetch our "xml files" from us.
+Index: wpa_supplicant-2.9/src/wps/wps_upnp_i.h
+===================================================================
+--- wpa_supplicant-2.9.orig/src/wps/wps_upnp_i.h
+++ wpa_supplicant-2.9/src/wps/wps_upnp_i.h
+@@ -128,6 +128,7 @@ struct upnp_wps_device_sm {
+        u8 mac_addr[ETH_ALEN]; /* mac addr of network i.f. we use */
+        char *ip_addr_text; /* IP address of network i.f. we use */
+        unsigned ip_addr; /* IP address of network i.f. we use (host order) */
+       struct in_addr netmask;
+        int multicast_sd; /* send multicast messages over this socket */
+        int ssdp_sd; /* receive discovery UPD packets on socket */
+        int ssdp_sd_registered; /* nonzero if we must unregister */
+@@ -158,7 +159,7 @@ struct subscription * subscription_find(
+                                        const u8 uuid[UUID_LEN]);
+ void subscr_addr_delete(struct subscr_addr *a);
+ int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
+-                  u8 mac[ETH_ALEN]);
+                  struct in_addr *netmask, u8 mac[ETH_ALEN]);
+ /* wps_upnp_ssdp.c */
+ void msearchreply_state_machine_stop(struct advertisement_state_machine *a);
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
new file mode 100644
index 0000000000..59640859dd
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
@@ -0,0 +1,62 @@
+From f7d268864a2660b7239b9a8ff5ad37faeeb751ba Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 3 Jun 2020 22:41:02 +0300
+Subject: [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL
+ path
+More than about 700 character URL ended up overflowing the wpabuf used
+for building the event notification and this resulted in the wpabuf
+buffer overflow checks terminating the hostapd process. Fix this by
+allocating the buffer to be large enough to contain the full URL path.
+However, since that around 700 character limit has been the practical
+limit for more than ten years, start explicitly enforcing that as the
+limit or the callback URLs since any longer ones had not worked before
+and there is no need to enable them now either.
+Upstream-Status: Backport
+CVE: CVE-2020-12695 patch #2
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/wps/wps_upnp.c       | 9 +++++++--
+ src/wps/wps_upnp_event.c | 3 ++-
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
+index 7d4b7439940e..ab685d52ecab 100644
+--- a/src/wps/wps_upnp.c
+++ b/src/wps/wps_upnp.c
+@@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
+        int rerr;
+        size_t host_len, path_len;
+-       /* url MUST begin with http: */
+-       if (url_len < 7 || os_strncasecmp(url, "http://", 7))
+       /* URL MUST begin with HTTP scheme. In addition, limit the length of
+        * the URL to 700 characters which is around the limit that was
+        * implicitly enforced for more than 10 years due to a bug in
+        * generating the event messages. */
+       if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) {
+               wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
+                goto fail;
+       }
+        url += 7;
+        url_len -= 7;
+diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
+index d7e6edcc6503..08a23612f338 100644
+--- a/src/wps/wps_upnp_event.c
+++ b/src/wps/wps_upnp_event.c
+@@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e)
+        struct wpabuf *buf;
+        char *b;
+-       buf = wpabuf_alloc(1000 + wpabuf_len(e->data));
+       buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
+                          wpabuf_len(e->data));
+        if (buf == NULL)
+                return NULL;
+        wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);
+--
+2.20.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
new file mode 100644
index 0000000000..8a014ef28a
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
@@ -0,0 +1,50 @@
+From 85aac526af8612c21b3117dadc8ef5944985b476 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Thu, 4 Jun 2020 21:24:04 +0300
+Subject: [PATCH 3/3] WPS UPnP: Handle HTTP initiation failures for events more
+ properly
+While it is appropriate to try to retransmit the event to another
+callback URL on a failure to initiate the HTTP client connection, there
+is no point in trying the exact same operation multiple times in a row.
+Replve the event_retry() calls with event_addr_failure() for these cases
+to avoid busy loops trying to repeat the same failing operation.
+These potential busy loops would go through eloop callbacks, so the
+process is not completely stuck on handling them, but unnecessary CPU
+would be used to process the continues retries that will keep failing
+for the same reason.
+Upstream-Status: Backport
+CVE: CVE-2020-12695 patch #2
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/wps/wps_upnp_event.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
+index 08a23612f338..c0d9e41d9a38 100644
+--- a/src/wps/wps_upnp_event.c
+++ b/src/wps/wps_upnp_event.c
+@@ -294,7 +294,7 @@ static int event_send_start(struct subscription *s)
+        buf = event_build_message(e);
+        if (buf == NULL) {
+-               event_retry(e, 0);
+               event_addr_failure(e);
+                return -1;
+        }
+@@ -302,7 +302,7 @@ static int event_send_start(struct subscription *s)
+                                         event_http_cb, e);
+        if (e->http_event == NULL) {
+                wpabuf_free(buf);
+-               event_retry(e, 0);
+               event_addr_failure(e);
+                return -1;
+        }
+--
+2.20.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
index 2936e89eed..7cc03fef7d 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -25,7 +25,10 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz  \
           file://wpa_supplicant.conf-sane \
           file://99_wpa_supplicant \
           file://0001-replace-systemd-install-Alias-with-WantedBy.patch \
-                   file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \
+           file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \
+           file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
+           file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
+           file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
          "
 SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
 SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"
author	Armin Kuster <akuster@mvista.com>	2020-06-25 21:17:36 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-06-28 08:35:59 +0100
commit	3125cfe84a2c00cdae16d7276beae8ec5bf876c5 (patch)
tree	e19e5539c0d768d0e8f3802bc7016fc8516ac5cd /meta/recipes-connectivity
parent	59b75aba7da3831357b00f413176412a3db615db (diff)
download	poky-3125cfe84a2c00cdae16d7276beae8ec5bf876c5.tar.gz

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch new file mode 100644 index 0000000000..53ad5d028a --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
@@ -0,0 +1,151 @@
		1	From 5b78c8f961f25f4dc22d6f2b77ddd06d712cec63 Mon Sep 17 00:00:00 2001
		2	From: Jouni Malinen <jouni@codeaurora.org>
		3	Date: Wed, 3 Jun 2020 23:17:35 +0300
		4	Subject: [PATCH 1/3] WPS UPnP: Do not allow event subscriptions with URLs to
		5	other networks
		6
		7	The UPnP Device Architecture 2.0 specification errata ("UDA errata
		8	16-04-2020.docx") addresses a problem with notifications being allowed
		9	to go out to other domains by disallowing such cases. Do such filtering
		10	for the notification callback URLs to avoid undesired connections to
		11	external networks based on subscriptions that any device in the local
		12	network could request when WPS support for external registrars is
		13	enabled (the upnp_iface parameter in hostapd configuration).
		14
		15	Upstream-Status: Backport
		16	CVE: CVE-2020-12695 patch #1
		17	Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
		18	Signed-off-by: Armin Kuster <akuster@mvista.com>
		19
		20	---
		21	src/wps/wps_er.c \| 2 +-
		22	src/wps/wps_upnp.c \| 38 ++++++++++++++++++++++++++++++++++++--
		23	src/wps/wps_upnp_i.h \| 3 ++-
		24	3 files changed, 39 insertions(+), 4 deletions(-)
		25
		26	Index: wpa_supplicant-2.9/src/wps/wps_er.c
		27	===================================================================
		28	--- wpa_supplicant-2.9.orig/src/wps/wps_er.c
		29	+++ wpa_supplicant-2.9/src/wps/wps_er.c
		30	@@ -1298,7 +1298,7 @@ wps_er_init(struct wps_context *wps, con
		31	"with %s", filter);
		32	}
		33	if (get_netif_info(er->ifname, &er->ip_addr, &er->ip_addr_text,
		34	- er->mac_addr)) {
		35	+ NULL, er->mac_addr)) {
		36	wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
		37	"for %s. Does it have IP address?", er->ifname);
		38	wps_er_deinit(er, NULL, NULL);
		39	Index: wpa_supplicant-2.9/src/wps/wps_upnp.c
		40	===================================================================
		41	--- wpa_supplicant-2.9.orig/src/wps/wps_upnp.c
		42	+++ wpa_supplicant-2.9/src/wps/wps_upnp.c
		43	@@ -303,6 +303,14 @@ static void subscr_addr_free_all(struct
		44	}
		45
		46
		47	+static int local_network_addr(struct upnp_wps_device_sm *sm,
		48	+ struct sockaddr_in *addr)
		49	+{
		50	+ return (addr->sin_addr.s_addr & sm->netmask.s_addr) ==
		51	+ (sm->ip_addr & sm->netmask.s_addr);
		52	+}
		53	+
		54	+
		55	/* subscr_addr_add_url -- add address(es) for one url to subscription */
		56	static void subscr_addr_add_url(struct subscription s, const char url,
		57	size_t url_len)
		58	@@ -381,6 +389,7 @@ static void subscr_addr_add_url(struct s
		59
		60	for (rp = result; rp; rp = rp->ai_next) {
		61	struct subscr_addr *a;
		62	+ struct sockaddr_in addr = (struct sockaddr_in ) rp->ai_addr;
		63
		64	/* Limit no. of address to avoid denial of service attack */
		65	if (dl_list_len(&s->addr_list) >= MAX_ADDR_PER_SUBSCRIPTION) {
		66	@@ -389,6 +398,13 @@ static void subscr_addr_add_url(struct s
		67	break;
		68	}
		69
		70	+ if (!local_network_addr(s->sm, addr)) {
		71	+ wpa_printf(MSG_INFO,
		72	+ "WPS UPnP: Ignore a delivery URL that points to another network %s",
		73	+ inet_ntoa(addr->sin_addr));
		74	+ continue;
		75	+ }
		76	+
		77	a = os_zalloc(sizeof(*a) + alloc_len);
		78	if (a == NULL)
		79	break;
		80	@@ -889,11 +905,12 @@ static int eth_get(const char *device, u
		81	* @net_if: Selected network interface name
		82	* @ip_addr: Buffer for returning IP address in network byte order
		83	* @ip_addr_text: Buffer for returning a pointer to allocated IP address text
		84	+ * @netmask: Buffer for returning netmask or %NULL if not needed
		85	* @mac: Buffer for returning MAC address
		86	* Returns: 0 on success, -1 on failure
		87	*/
		88	int get_netif_info(const char net_if, unsigned ip_addr, char **ip_addr_text,
		89	- u8 mac[ETH_ALEN])
		90	+ struct in_addr *netmask, u8 mac[ETH_ALEN])
		91	{
		92	struct ifreq req;
		93	int sock = -1;
		94	@@ -919,6 +936,19 @@ int get_netif_info(const char *net_if, u
		95	in_addr.s_addr = *ip_addr;
		96	os_snprintf(*ip_addr_text, 16, "%s", inet_ntoa(in_addr));
		97
		98	+ if (netmask) {
		99	+ os_memset(&req, 0, sizeof(req));
		100	+ os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
		101	+ if (ioctl(sock, SIOCGIFNETMASK, &req) < 0) {
		102	+ wpa_printf(MSG_ERROR,
		103	+ "WPS UPnP: SIOCGIFNETMASK failed: %d (%s)",
		104	+ errno, strerror(errno));
		105	+ goto fail;
		106	+ }
		107	+ addr = (struct sockaddr_in *) &req.ifr_netmask;
		108	+ netmask->s_addr = addr->sin_addr.s_addr;
		109	+ }
		110	+
		111	#ifdef __linux__
		112	os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
		113	if (ioctl(sock, SIOCGIFHWADDR, &req) < 0) {
		114	@@ -1025,11 +1055,15 @@ static int upnp_wps_device_start(struct
		115
		116	/* Determine which IP and mac address we're using */
		117	if (get_netif_info(net_if, &sm->ip_addr, &sm->ip_addr_text,
		118	- sm->mac_addr)) {
		119	+ &sm->netmask, sm->mac_addr)) {
		120	wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
		121	"for %s. Does it have IP address?", net_if);
		122	goto fail;
		123	}
		124	+ wpa_printf(MSG_DEBUG, "WPS UPnP: Local IP address %s netmask %s hwaddr "
		125	+ MACSTR,
		126	+ sm->ip_addr_text, inet_ntoa(sm->netmask),
		127	+ MAC2STR(sm->mac_addr));
		128
		129	/* Listen for incoming TCP connections so that others
		130	* can fetch our "xml files" from us.
		131	Index: wpa_supplicant-2.9/src/wps/wps_upnp_i.h
		132	===================================================================
		133	--- wpa_supplicant-2.9.orig/src/wps/wps_upnp_i.h
		134	+++ wpa_supplicant-2.9/src/wps/wps_upnp_i.h
		135	@@ -128,6 +128,7 @@ struct upnp_wps_device_sm {
		136	u8 mac_addr[ETH_ALEN]; /* mac addr of network i.f. we use */
		137	char ip_addr_text; / IP address of network i.f. we use */
		138	unsigned ip_addr; /* IP address of network i.f. we use (host order) */
		139	+ struct in_addr netmask;
		140	int multicast_sd; /* send multicast messages over this socket */
		141	int ssdp_sd; /* receive discovery UPD packets on socket */
		142	int ssdp_sd_registered; /* nonzero if we must unregister */
		143	@@ -158,7 +159,7 @@ struct subscription * subscription_find(
		144	const u8 uuid[UUID_LEN]);
		145	void subscr_addr_delete(struct subscr_addr *a);
		146	int get_netif_info(const char net_if, unsigned ip_addr, char **ip_addr_text,
		147	- u8 mac[ETH_ALEN]);
		148	+ struct in_addr *netmask, u8 mac[ETH_ALEN]);
		149
		150	/* wps_upnp_ssdp.c */
		151	void msearchreply_state_machine_stop(struct advertisement_state_machine *a);


diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch new file mode 100644 index 0000000000..59640859dd --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
@@ -0,0 +1,62 @@
		1	From f7d268864a2660b7239b9a8ff5ad37faeeb751ba Mon Sep 17 00:00:00 2001
		2	From: Jouni Malinen <jouni@codeaurora.org>
		3	Date: Wed, 3 Jun 2020 22:41:02 +0300
		4	Subject: [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL
		5	path
		6
		7	More than about 700 character URL ended up overflowing the wpabuf used
		8	for building the event notification and this resulted in the wpabuf
		9	buffer overflow checks terminating the hostapd process. Fix this by
		10	allocating the buffer to be large enough to contain the full URL path.
		11	However, since that around 700 character limit has been the practical
		12	limit for more than ten years, start explicitly enforcing that as the
		13	limit or the callback URLs since any longer ones had not worked before
		14	and there is no need to enable them now either.
		15
		16	Upstream-Status: Backport
		17	CVE: CVE-2020-12695 patch #2
		18	Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
		19	Signed-off-by: Armin Kuster <akuster@mvista.com>
		20
		21	---
		22	src/wps/wps_upnp.c \| 9 +++++++--
		23	src/wps/wps_upnp_event.c \| 3 ++-
		24	2 files changed, 9 insertions(+), 3 deletions(-)
		25
		26	diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
		27	index 7d4b7439940e..ab685d52ecab 100644
		28	--- a/src/wps/wps_upnp.c
		29	+++ b/src/wps/wps_upnp.c
		30	@@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription s, const char url,
		31	int rerr;
		32	size_t host_len, path_len;
		33
		34	- /* url MUST begin with http: */
		35	- if (url_len < 7 \|\| os_strncasecmp(url, "http://", 7))
		36	+ /* URL MUST begin with HTTP scheme. In addition, limit the length of
		37	+ * the URL to 700 characters which is around the limit that was
		38	+ * implicitly enforced for more than 10 years due to a bug in
		39	+ * generating the event messages. */
		40	+ if (url_len < 7 \|\| os_strncasecmp(url, "http://", 7) \|\| url_len > 700) {
		41	+ wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
		42	goto fail;
		43	+ }
		44	url += 7;
		45	url_len -= 7;
		46
		47	diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
		48	index d7e6edcc6503..08a23612f338 100644
		49	--- a/src/wps/wps_upnp_event.c
		50	+++ b/src/wps/wps_upnp_event.c
		51	@@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e)
		52	struct wpabuf *buf;
		53	char *b;
		54
		55	- buf = wpabuf_alloc(1000 + wpabuf_len(e->data));
		56	+ buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
		57	+ wpabuf_len(e->data));
		58	if (buf == NULL)
		59	return NULL;
		60	wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);
		61	--
		62	2.20.1


diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch new file mode 100644 index 0000000000..8a014ef28a --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
@@ -0,0 +1,50 @@
		1	From 85aac526af8612c21b3117dadc8ef5944985b476 Mon Sep 17 00:00:00 2001
		2	From: Jouni Malinen <jouni@codeaurora.org>
		3	Date: Thu, 4 Jun 2020 21:24:04 +0300
		4	Subject: [PATCH 3/3] WPS UPnP: Handle HTTP initiation failures for events more
		5	properly
		6
		7	While it is appropriate to try to retransmit the event to another
		8	callback URL on a failure to initiate the HTTP client connection, there
		9	is no point in trying the exact same operation multiple times in a row.
		10	Replve the event_retry() calls with event_addr_failure() for these cases
		11	to avoid busy loops trying to repeat the same failing operation.
		12
		13	These potential busy loops would go through eloop callbacks, so the
		14	process is not completely stuck on handling them, but unnecessary CPU
		15	would be used to process the continues retries that will keep failing
		16	for the same reason.
		17
		18	Upstream-Status: Backport
		19	CVE: CVE-2020-12695 patch #2
		20	Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
		21	Signed-off-by: Armin Kuster <akuster@mvista.com>
		22
		23	---
		24	src/wps/wps_upnp_event.c \| 4 ++--
		25	1 file changed, 2 insertions(+), 2 deletions(-)
		26
		27	diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
		28	index 08a23612f338..c0d9e41d9a38 100644
		29	--- a/src/wps/wps_upnp_event.c
		30	+++ b/src/wps/wps_upnp_event.c
		31	@@ -294,7 +294,7 @@ static int event_send_start(struct subscription *s)
		32
		33	buf = event_build_message(e);
		34	if (buf == NULL) {
		35	- event_retry(e, 0);
		36	+ event_addr_failure(e);
		37	return -1;
		38	}
		39
		40	@@ -302,7 +302,7 @@ static int event_send_start(struct subscription *s)
		41	event_http_cb, e);
		42	if (e->http_event == NULL) {
		43	wpabuf_free(buf);
		44	- event_retry(e, 0);
		45	+ event_addr_failure(e);
		46	return -1;
		47	}
		48
		49	--
		50	2.20.1


diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb index 2936e89eed..7cc03fef7d 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -25,7 +25,10 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
25	file://wpa_supplicant.conf-sane \	25	file://wpa_supplicant.conf-sane \
26	file://99_wpa_supplicant \	26	file://99_wpa_supplicant \
27	file://0001-replace-systemd-install-Alias-with-WantedBy.patch \	27	file://0001-replace-systemd-install-Alias-with-WantedBy.patch \
28	file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \	28	file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \
		29	file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
		30	file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
		31	file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
29	"	32	"
30	SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"	33	SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
31	SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"	34	SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"