diff options
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch')
-rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch new file mode 100644 index 0000000000..a2bafc8c46 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From dd2f043c9c43d156494e33d7ce22db96e6ef42c7 Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Fri, 1 May 2015 16:37:45 +0300 | ||
8 | Subject: [PATCH 1/5] EAP-pwd peer: Fix payload length validation for Commit | ||
9 | and Confirm | ||
10 | |||
11 | The length of the received Commit and Confirm message payloads was not | ||
12 | checked before reading them. This could result in a buffer read | ||
13 | overflow when processing an invalid message. | ||
14 | |||
15 | Fix this by verifying that the payload is of expected length before | ||
16 | processing it. In addition, enforce correct state transition sequence to | ||
17 | make sure there is no unexpected behavior if receiving a Commit/Confirm | ||
18 | message before the previous exchanges have been completed. | ||
19 | |||
20 | Thanks to Kostya Kortchinsky of Google security team for discovering and | ||
21 | reporting this issue. | ||
22 | |||
23 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
24 | --- | ||
25 | src/eap_peer/eap_pwd.c | 29 +++++++++++++++++++++++++++++ | ||
26 | 1 file changed, 29 insertions(+) | ||
27 | |||
28 | diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c | ||
29 | index f2b0926..a629437 100644 | ||
30 | --- a/src/eap_peer/eap_pwd.c | ||
31 | +++ b/src/eap_peer/eap_pwd.c | ||
32 | @@ -355,6 +355,23 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, | ||
33 | BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL; | ||
34 | u16 offset; | ||
35 | u8 *ptr, *scalar = NULL, *element = NULL; | ||
36 | + size_t prime_len, order_len; | ||
37 | + | ||
38 | + if (data->state != PWD_Commit_Req) { | ||
39 | + ret->ignore = TRUE; | ||
40 | + goto fin; | ||
41 | + } | ||
42 | + | ||
43 | + prime_len = BN_num_bytes(data->grp->prime); | ||
44 | + order_len = BN_num_bytes(data->grp->order); | ||
45 | + | ||
46 | + if (payload_len != 2 * prime_len + order_len) { | ||
47 | + wpa_printf(MSG_INFO, | ||
48 | + "EAP-pwd: Unexpected Commit payload length %u (expected %u)", | ||
49 | + (unsigned int) payload_len, | ||
50 | + (unsigned int) (2 * prime_len + order_len)); | ||
51 | + goto fin; | ||
52 | + } | ||
53 | |||
54 | if (((data->private_value = BN_new()) == NULL) || | ||
55 | ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) || | ||
56 | @@ -554,6 +571,18 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, | ||
57 | u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; | ||
58 | int offset; | ||
59 | |||
60 | + if (data->state != PWD_Confirm_Req) { | ||
61 | + ret->ignore = TRUE; | ||
62 | + goto fin; | ||
63 | + } | ||
64 | + | ||
65 | + if (payload_len != SHA256_MAC_LEN) { | ||
66 | + wpa_printf(MSG_INFO, | ||
67 | + "EAP-pwd: Unexpected Confirm payload length %u (expected %u)", | ||
68 | + (unsigned int) payload_len, SHA256_MAC_LEN); | ||
69 | + goto fin; | ||
70 | + } | ||
71 | + | ||
72 | /* | ||
73 | * first build up the ciphersuite which is group | random_function | | ||
74 | * prf | ||
75 | -- | ||
76 | 1.9.1 | ||
77 | |||