1 files changed, 0 insertions, 77 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
deleted file mode 100644
index a2bafc8c46..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-Upstream-Status: Backport
-Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
-From dd2f043c9c43d156494e33d7ce22db96e6ef42c7 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 1 May 2015 16:37:45 +0300
-Subject: [PATCH 1/5] EAP-pwd peer: Fix payload length validation for Commit
- and Confirm
-The length of the received Commit and Confirm message payloads was not
-checked before reading them. This could result in a buffer read
-overflow when processing an invalid message.
-Fix this by verifying that the payload is of expected length before
-processing it. In addition, enforce correct state transition sequence to
-make sure there is no unexpected behavior if receiving a Commit/Confirm
-message before the previous exchanges have been completed.
-Thanks to Kostya Kortchinsky of Google security team for discovering and
-reporting this issue.
-Signed-off-by: Jouni Malinen <j@w1.fi>
---
- src/eap_peer/eap_pwd.c | 29 +++++++++++++++++++++++++++++
- 1 file changed, 29 insertions(+)
-diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
-index f2b0926..a629437 100644
--- a/src/eap_peer/eap_pwd.c
-+++ b/src/eap_peer/eap_pwd.c
-@@ -355,6 +355,23 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
-        BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL;
-        u16 offset;
-        u8 *ptr, *scalar = NULL, *element = NULL;
-+       size_t prime_len, order_len;
-+
-+       if (data->state != PWD_Commit_Req) {
-+               ret->ignore = TRUE;
-+               goto fin;
-+       }
-+
-+       prime_len = BN_num_bytes(data->grp->prime);
-+       order_len = BN_num_bytes(data->grp->order);
-+
-+       if (payload_len != 2 * prime_len + order_len) {
-+               wpa_printf(MSG_INFO,
-+                          "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
-+                          (unsigned int) payload_len,
-+                          (unsigned int) (2 * prime_len + order_len));
-+               goto fin;
-+       }
- 
-        if (((data->private_value = BN_new()) == NULL) ||
-            ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) ||
-@@ -554,6 +571,18 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
-        u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
-        int offset;
- 
-+       if (data->state != PWD_Confirm_Req) {
-+               ret->ignore = TRUE;
-+               goto fin;
-+       }
-+
-+       if (payload_len != SHA256_MAC_LEN) {
-+               wpa_printf(MSG_INFO,
-+                          "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
-+                          (unsigned int) payload_len, SHA256_MAC_LEN);
-+               goto fin;
-+       }
-+
-        /*
-         * first build up the ciphersuite which is group | random_function |
-         *      prf
-- 
-1.9.1

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch deleted file mode 100644 index a2bafc8c46..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch +++ /dev/null
@@ -1,77 +0,0 @@
1	Upstream-Status: Backport
2
3	Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
4
5	From dd2f043c9c43d156494e33d7ce22db96e6ef42c7 Mon Sep 17 00:00:00 2001
6	From: Jouni Malinen <j@w1.fi>
7	Date: Fri, 1 May 2015 16:37:45 +0300
8	Subject: [PATCH 1/5] EAP-pwd peer: Fix payload length validation for Commit
9	and Confirm
10
11	The length of the received Commit and Confirm message payloads was not
12	checked before reading them. This could result in a buffer read
13	overflow when processing an invalid message.
14
15	Fix this by verifying that the payload is of expected length before
16	processing it. In addition, enforce correct state transition sequence to
17	make sure there is no unexpected behavior if receiving a Commit/Confirm
18	message before the previous exchanges have been completed.
19
20	Thanks to Kostya Kortchinsky of Google security team for discovering and
21	reporting this issue.
22
23	Signed-off-by: Jouni Malinen <j@w1.fi>
24	---
25	src/eap_peer/eap_pwd.c \| 29 +++++++++++++++++++++++++++++
26	1 file changed, 29 insertions(+)
27
28	diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
29	index f2b0926..a629437 100644
30	--- a/src/eap_peer/eap_pwd.c
31	+++ b/src/eap_peer/eap_pwd.c
32	@@ -355,6 +355,23 @@ eap_pwd_perform_commit_exchange(struct eap_sm sm, struct eap_pwd_data data,
33	BIGNUM mask = NULL, x = NULL, y = NULL, cofactor = NULL;
34	u16 offset;
35	u8 ptr, scalar = NULL, *element = NULL;
36	+ size_t prime_len, order_len;
37	+
38	+ if (data->state != PWD_Commit_Req) {
39	+ ret->ignore = TRUE;
40	+ goto fin;
41	+ }
42	+
43	+ prime_len = BN_num_bytes(data->grp->prime);
44	+ order_len = BN_num_bytes(data->grp->order);
45	+
46	+ if (payload_len != 2 * prime_len + order_len) {
47	+ wpa_printf(MSG_INFO,
48	+ "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
49	+ (unsigned int) payload_len,
50	+ (unsigned int) (2 * prime_len + order_len));
51	+ goto fin;
52	+ }
53
54	if (((data->private_value = BN_new()) == NULL) \|\|
55	((data->my_element = EC_POINT_new(data->grp->group)) == NULL) \|\|
56	@@ -554,6 +571,18 @@ eap_pwd_perform_confirm_exchange(struct eap_sm sm, struct eap_pwd_data data,
57	u8 conf[SHA256_MAC_LEN], cruft = NULL, ptr;
58	int offset;
59
60	+ if (data->state != PWD_Confirm_Req) {
61	+ ret->ignore = TRUE;
62	+ goto fin;
63	+ }
64	+
65	+ if (payload_len != SHA256_MAC_LEN) {
66	+ wpa_printf(MSG_INFO,
67	+ "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
68	+ (unsigned int) payload_len, SHA256_MAC_LEN);
69	+ goto fin;
70	+ }
71	+
72	/*
73	* first build up the ciphersuite which is group \| random_function \|
74	* prf
75	--
76	1.9.1
77