summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch45
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb1
2 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
new file mode 100644
index 0000000000..8c90fa3421
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
@@ -0,0 +1,45 @@
1From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@codeaurora.org>
3Date: Mon, 9 Nov 2020 11:43:12 +0200
4Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
5 client
6
7Parsing and copying of WPS secondary device types list was verifying
8that the contents is not too long for the internal maximum in the case
9of WPS messages, but similar validation was missing from the case of P2P
10group information which encodes this information in a different
11attribute. This could result in writing beyond the memory area assigned
12for these entries and corrupting memory within an instance of struct
13p2p_device. This could result in invalid operations and unexpected
14behavior when trying to free pointers from that corrupted memory.
15
16Upstream-Status: Backport
17CVE: CVE-2021-0326
18
19Reference to upstream patch:
20[https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e]
21
22Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
23Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
24Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
25Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
26---
27 src/p2p/p2p.c | 2 ++
28 1 file changed, 2 insertions(+)
29
30diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
31index a08ba02..079270f 100644
32--- a/src/p2p/p2p.c
33+++ b/src/p2p/p2p.c
34@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
35 dev->info.config_methods = cli->config_methods;
36 os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
37 dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
38+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
39+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
40 os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
41 dev->info.wps_sec_dev_type_list_len);
42 }
43--
442.17.1
45
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
index 7cc03fef7d..85ac28d881 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
29 file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \ 29 file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
30 file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \ 30 file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
31 file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \ 31 file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
32 file://CVE-2021-0326.patch \
32 " 33 "
33SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190" 34SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
34SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17" 35SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"