diff options
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch')
| -rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch new file mode 100644 index 0000000000..c477c2f93c --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch | |||
| @@ -0,0 +1,70 @@ | |||
| 1 | Upstream-Status: Backport | ||
| 2 | |||
| 3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
| 4 | |||
| 5 | From e28a58be26184c2a23f80b410e0997ef1bd5d578 Mon Sep 17 00:00:00 2001 | ||
| 6 | From: Jouni Malinen <j@w1.fi> | ||
| 7 | Date: Fri, 1 May 2015 16:40:44 +0300 | ||
| 8 | Subject: [PATCH 2/5] EAP-pwd server: Fix payload length validation for Commit | ||
| 9 | and Confirm | ||
| 10 | |||
| 11 | The length of the received Commit and Confirm message payloads was not | ||
| 12 | checked before reading them. This could result in a buffer read | ||
| 13 | overflow when processing an invalid message. | ||
| 14 | |||
| 15 | Fix this by verifying that the payload is of expected length before | ||
| 16 | processing it. In addition, enforce correct state transition sequence to | ||
| 17 | make sure there is no unexpected behavior if receiving a Commit/Confirm | ||
| 18 | message before the previous exchanges have been completed. | ||
| 19 | |||
| 20 | Thanks to Kostya Kortchinsky of Google security team for discovering and | ||
| 21 | reporting this issue. | ||
| 22 | |||
| 23 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
| 24 | --- | ||
| 25 | src/eap_server/eap_server_pwd.c | 19 +++++++++++++++++++ | ||
| 26 | 1 file changed, 19 insertions(+) | ||
| 27 | |||
| 28 | diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c | ||
| 29 | index 66bd5d2..3189105 100644 | ||
| 30 | --- a/src/eap_server/eap_server_pwd.c | ||
| 31 | +++ b/src/eap_server/eap_server_pwd.c | ||
| 32 | @@ -656,9 +656,21 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, | ||
| 33 | BIGNUM *x = NULL, *y = NULL, *cofactor = NULL; | ||
| 34 | EC_POINT *K = NULL, *point = NULL; | ||
| 35 | int res = 0; | ||
| 36 | + size_t prime_len, order_len; | ||
| 37 | |||
| 38 | wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response"); | ||
| 39 | |||
| 40 | + prime_len = BN_num_bytes(data->grp->prime); | ||
| 41 | + order_len = BN_num_bytes(data->grp->order); | ||
| 42 | + | ||
| 43 | + if (payload_len != 2 * prime_len + order_len) { | ||
| 44 | + wpa_printf(MSG_INFO, | ||
| 45 | + "EAP-pwd: Unexpected Commit payload length %u (expected %u)", | ||
| 46 | + (unsigned int) payload_len, | ||
| 47 | + (unsigned int) (2 * prime_len + order_len)); | ||
| 48 | + goto fin; | ||
| 49 | + } | ||
| 50 | + | ||
| 51 | if (((data->peer_scalar = BN_new()) == NULL) || | ||
| 52 | ((data->k = BN_new()) == NULL) || | ||
| 53 | ((cofactor = BN_new()) == NULL) || | ||
| 54 | @@ -774,6 +786,13 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, | ||
| 55 | u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; | ||
| 56 | int offset; | ||
| 57 | |||
| 58 | + if (payload_len != SHA256_MAC_LEN) { | ||
| 59 | + wpa_printf(MSG_INFO, | ||
| 60 | + "EAP-pwd: Unexpected Confirm payload length %u (expected %u)", | ||
| 61 | + (unsigned int) payload_len, SHA256_MAC_LEN); | ||
| 62 | + goto fin; | ||
| 63 | + } | ||
| 64 | + | ||
| 65 | /* build up the ciphersuite: group | random_function | prf */ | ||
| 66 | grp = htons(data->group_num); | ||
| 67 | ptr = (u8 *) &cs; | ||
| 68 | -- | ||
| 69 | 1.9.1 | ||
| 70 | |||