1 files changed, 60 insertions, 0 deletions

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0010-SAE-Fix-confirm-message-validation-in-error-cases.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0010-SAE-Fix-confirm-message-validation-in-error-cases.patch
new file mode 100644
index 0000000000..9d2c6983d4
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0010-SAE-Fix-confirm-message-validation-in-error-cases.patch
@@ -0,0 +1,60 @@
+From ac8fa9ef198640086cf2ce7c94673be2b6a018a0 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 5 Mar 2019 23:43:25 +0200
+Subject: [PATCH 10/14] SAE: Fix confirm message validation in error cases
+
+Explicitly verify that own and peer commit scalar/element are available
+when trying to check SAE confirm message. It could have been possible to
+hit a NULL pointer dereference if the peer element could not have been
+parsed. (CVE-2019-9496)
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9496
+---
+ src/common/sae.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index eaf825d..5a50294 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -1487,23 +1487,31 @@ int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
+ 
+        wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data));
+ 
+-       if (sae->tmp == NULL) {
++       if (!sae->tmp || !sae->peer_commit_scalar ||
++           !sae->tmp->own_commit_scalar) {
+                wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available");
+                return -1;
+        }
+ 
+-       if (sae->tmp->ec)
++       if (sae->tmp->ec) {
++               if (!sae->tmp->peer_commit_element_ecc ||
++                   !sae->tmp->own_commit_element_ecc)
++                       return -1;
+                sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
+                                   sae->tmp->peer_commit_element_ecc,
+                                   sae->tmp->own_commit_scalar,
+                                   sae->tmp->own_commit_element_ecc,
+                                   verifier);
+-       else
++       } else {
++               if (!sae->tmp->peer_commit_element_ffc ||
++                   !sae->tmp->own_commit_element_ffc)
++                       return -1;
+                sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
+                                   sae->tmp->peer_commit_element_ffc,
+                                   sae->tmp->own_commit_scalar,
+                                   sae->tmp->own_commit_element_ffc,
+                                   verifier);
++       }
+ 
+        if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) {
+                wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");
+-- 
+2.7.4
+