diff options
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch')
-rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch new file mode 100644 index 0000000000..2568ea1124 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Tue, 28 Apr 2015 17:08:33 +0300 | ||
8 | Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser | ||
9 | |||
10 | strtoul() return value may end up overflowing the int h->chunk_size and | ||
11 | resulting in a negative value to be stored as the chunk_size. This could | ||
12 | result in the following memcpy operation using a very large length | ||
13 | argument which would result in a buffer overflow and segmentation fault. | ||
14 | |||
15 | This could have been used to cause a denial service by any device that | ||
16 | has been authorized for network access (either wireless or wired). This | ||
17 | would affect both the WPS UPnP functionality in a WPS AP (hostapd with | ||
18 | upnp_iface parameter set in the configuration) and WPS ER | ||
19 | (wpa_supplicant with WPS_ER_START control interface command used). | ||
20 | |||
21 | Validate the parsed chunk length value to avoid this. In addition to | ||
22 | rejecting negative values, we can also reject chunk size that would be | ||
23 | larger than the maximum configured body length. | ||
24 | |||
25 | Thanks to Kostya Kortchinsky of Google security team for discovering and | ||
26 | reporting this issue. | ||
27 | |||
28 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
29 | --- | ||
30 | src/wps/httpread.c | 7 +++++++ | ||
31 | 1 file changed, 7 insertions(+) | ||
32 | |||
33 | diff --git a/src/wps/httpread.c b/src/wps/httpread.c | ||
34 | index 2f08f37..d2855e3 100644 | ||
35 | --- a/src/wps/httpread.c | ||
36 | +++ b/src/wps/httpread.c | ||
37 | @@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx) | ||
38 | if (!isxdigit(*cbp)) | ||
39 | goto bad; | ||
40 | h->chunk_size = strtoul(cbp, NULL, 16); | ||
41 | + if (h->chunk_size < 0 || | ||
42 | + h->chunk_size > h->max_bytes) { | ||
43 | + wpa_printf(MSG_DEBUG, | ||
44 | + "httpread: Invalid chunk size %d", | ||
45 | + h->chunk_size); | ||
46 | + goto bad; | ||
47 | + } | ||
48 | /* throw away chunk header | ||
49 | * so we have only real data | ||
50 | */ | ||
51 | -- | ||
52 | 1.9.1 | ||
53 | |||