summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc1
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch47
2 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc
index 1d171ef25a..93a2aa8b74 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc
@@ -25,6 +25,7 @@ SRC_URI = "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz \
25 file://wpa_supplicant.conf-sane \ 25 file://wpa_supplicant.conf-sane \
26 file://99_wpa_supplicant \ 26 file://99_wpa_supplicant \
27 file://fix-libnl3-host-contamination.patch \ 27 file://fix-libnl3-host-contamination.patch \
28 file://0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch \
28 file://0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch \ 29 file://0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch \
29 file://0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch \ 30 file://0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch \
30 file://0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch \ 31 file://0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch \
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
new file mode 100644
index 0000000000..e108a931c0
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
@@ -0,0 +1,47 @@
1From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@qca.qualcomm.com>
3Date: Tue, 7 Apr 2015 11:32:11 +0300
4Subject: [PATCH] P2P: Validate SSID element length before copying it
5 (CVE-2015-1863)
6
7This fixes a possible memcpy overflow for P2P dev->oper_ssid in
8p2p_add_device(). The length provided by the peer device (0..255 bytes)
9was used without proper bounds checking and that could have resulted in
10arbitrary data of up to 223 bytes being written beyond the end of the
11dev->oper_ssid[] array (of which about 150 bytes would be beyond the
12heap allocation) when processing a corrupted management frame for P2P
13peer discovery purposes.
14
15This could result in corrupted state in heap, unexpected program
16behavior due to corrupted P2P peer device information, denial of service
17due to process crash, exposure of memory contents during GO Negotiation,
18and potentially arbitrary code execution.
19
20Thanks to Google security team for reporting this issue and smart
21hardware research group of Alibaba security team for discovering it.
22
23Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
24
25Upstream-Status: Backport
26
27Signed-off-by: Yue Tao <yue.tao@windriver.com>
28
29---
30 src/p2p/p2p.c | 1 +
31 1 file changed, 1 insertion(+)
32
33diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
34index f584fae..a45fe73 100644
35--- a/src/p2p/p2p.c
36+++ b/src/p2p/p2p.c
37@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq,
38 if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)
39 os_memcpy(dev->interface_addr, addr, ETH_ALEN);
40 if (msg.ssid &&
41+ msg.ssid[1] <= sizeof(dev->oper_ssid) &&
42 (msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
43 os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
44 != 0)) {
45--
461.7.9.5
47