1 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
new file mode 100644
index 0000000000..8c90fa3421
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
@@ -0,0 +1,45 @@
+From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Mon, 9 Nov 2020 11:43:12 +0200
+Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
+ client
+Parsing and copying of WPS secondary device types list was verifying
+that the contents is not too long for the internal maximum in the case
+of WPS messages, but similar validation was missing from the case of P2P
+group information which encodes this information in a different
+attribute. This could result in writing beyond the memory area assigned
+for these entries and corrupting memory within an instance of struct
+p2p_device. This could result in invalid operations and unexpected
+behavior when trying to free pointers from that corrupted memory.
+Upstream-Status: Backport
+CVE: CVE-2021-0326
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e]
+Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
+Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/p2p/p2p.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
+index a08ba02..079270f 100644
+--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
+@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
+        dev->info.config_methods = cli->config_methods;
+        os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
+        dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
+       if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
+               dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
+        os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
+                  dev->info.wps_sec_dev_type_list_len);
+ }
+-- 
+2.17.1

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch new file mode 100644 index 0000000000..8c90fa3421 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
@@ -0,0 +1,45 @@
	1	From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
	2	From: Jouni Malinen <jouni@codeaurora.org>
	3	Date: Mon, 9 Nov 2020 11:43:12 +0200
	4	Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
	5	client
	6
	7	Parsing and copying of WPS secondary device types list was verifying
	8	that the contents is not too long for the internal maximum in the case
	9	of WPS messages, but similar validation was missing from the case of P2P
	10	group information which encodes this information in a different
	11	attribute. This could result in writing beyond the memory area assigned
	12	for these entries and corrupting memory within an instance of struct
	13	p2p_device. This could result in invalid operations and unexpected
	14	behavior when trying to free pointers from that corrupted memory.
	15
	16	Upstream-Status: Backport
	17	CVE: CVE-2021-0326
	18
	19	Reference to upstream patch:
	20	[https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e]
	21
	22	Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
	23	Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
	24	Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
	25	Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
	26	---
	27	src/p2p/p2p.c \| 2 ++
	28	1 file changed, 2 insertions(+)
	29
	30	diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
	31	index a08ba02..079270f 100644
	32	--- a/src/p2p/p2p.c
	33	+++ b/src/p2p/p2p.c
	34	@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
	35	dev->info.config_methods = cli->config_methods;
	36	os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
	37	dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
	38	+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
	39	+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
	40	os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
	41	dev->info.wps_sec_dev_type_list_len);
	42	}
	43	--
	44	2.17.1
	45