diff options
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant')
9 files changed, 6 insertions, 452 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch deleted file mode 100644 index 882674fe5b..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch +++ /dev/null | |||
@@ -1,45 +0,0 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Wed, 29 Apr 2015 02:21:53 +0300 | ||
8 | Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser | ||
9 | |||
10 | The length of the WMM Action frame was not properly validated and the | ||
11 | length of the information elements (int left) could end up being | ||
12 | negative. This would result in reading significantly past the stack | ||
13 | buffer while parsing the IEs in ieee802_11_parse_elems() and while doing | ||
14 | so, resulting in segmentation fault. | ||
15 | |||
16 | This can result in an invalid frame being used for a denial of service | ||
17 | attack (hostapd process killed) against an AP with a driver that uses | ||
18 | hostapd for management frame processing (e.g., all mac80211-based | ||
19 | drivers). | ||
20 | |||
21 | Thanks to Kostya Kortchinsky of Google security team for discovering and | ||
22 | reporting this issue. | ||
23 | |||
24 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
25 | --- | ||
26 | src/ap/wmm.c | 3 +++ | ||
27 | 1 file changed, 3 insertions(+) | ||
28 | |||
29 | diff --git a/src/ap/wmm.c b/src/ap/wmm.c | ||
30 | index 6d4177c..314e244 100644 | ||
31 | --- a/src/ap/wmm.c | ||
32 | +++ b/src/ap/wmm.c | ||
33 | @@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd, | ||
34 | return; | ||
35 | } | ||
36 | |||
37 | + if (left < 0) | ||
38 | + return; /* not a valid WMM Action frame */ | ||
39 | + | ||
40 | /* extract the tspec info element */ | ||
41 | if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) { | ||
42 | hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, | ||
43 | -- | ||
44 | 1.9.1 | ||
45 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch deleted file mode 100644 index a2bafc8c46..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch +++ /dev/null | |||
@@ -1,77 +0,0 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From dd2f043c9c43d156494e33d7ce22db96e6ef42c7 Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Fri, 1 May 2015 16:37:45 +0300 | ||
8 | Subject: [PATCH 1/5] EAP-pwd peer: Fix payload length validation for Commit | ||
9 | and Confirm | ||
10 | |||
11 | The length of the received Commit and Confirm message payloads was not | ||
12 | checked before reading them. This could result in a buffer read | ||
13 | overflow when processing an invalid message. | ||
14 | |||
15 | Fix this by verifying that the payload is of expected length before | ||
16 | processing it. In addition, enforce correct state transition sequence to | ||
17 | make sure there is no unexpected behavior if receiving a Commit/Confirm | ||
18 | message before the previous exchanges have been completed. | ||
19 | |||
20 | Thanks to Kostya Kortchinsky of Google security team for discovering and | ||
21 | reporting this issue. | ||
22 | |||
23 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
24 | --- | ||
25 | src/eap_peer/eap_pwd.c | 29 +++++++++++++++++++++++++++++ | ||
26 | 1 file changed, 29 insertions(+) | ||
27 | |||
28 | diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c | ||
29 | index f2b0926..a629437 100644 | ||
30 | --- a/src/eap_peer/eap_pwd.c | ||
31 | +++ b/src/eap_peer/eap_pwd.c | ||
32 | @@ -355,6 +355,23 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, | ||
33 | BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL; | ||
34 | u16 offset; | ||
35 | u8 *ptr, *scalar = NULL, *element = NULL; | ||
36 | + size_t prime_len, order_len; | ||
37 | + | ||
38 | + if (data->state != PWD_Commit_Req) { | ||
39 | + ret->ignore = TRUE; | ||
40 | + goto fin; | ||
41 | + } | ||
42 | + | ||
43 | + prime_len = BN_num_bytes(data->grp->prime); | ||
44 | + order_len = BN_num_bytes(data->grp->order); | ||
45 | + | ||
46 | + if (payload_len != 2 * prime_len + order_len) { | ||
47 | + wpa_printf(MSG_INFO, | ||
48 | + "EAP-pwd: Unexpected Commit payload length %u (expected %u)", | ||
49 | + (unsigned int) payload_len, | ||
50 | + (unsigned int) (2 * prime_len + order_len)); | ||
51 | + goto fin; | ||
52 | + } | ||
53 | |||
54 | if (((data->private_value = BN_new()) == NULL) || | ||
55 | ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) || | ||
56 | @@ -554,6 +571,18 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, | ||
57 | u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; | ||
58 | int offset; | ||
59 | |||
60 | + if (data->state != PWD_Confirm_Req) { | ||
61 | + ret->ignore = TRUE; | ||
62 | + goto fin; | ||
63 | + } | ||
64 | + | ||
65 | + if (payload_len != SHA256_MAC_LEN) { | ||
66 | + wpa_printf(MSG_INFO, | ||
67 | + "EAP-pwd: Unexpected Confirm payload length %u (expected %u)", | ||
68 | + (unsigned int) payload_len, SHA256_MAC_LEN); | ||
69 | + goto fin; | ||
70 | + } | ||
71 | + | ||
72 | /* | ||
73 | * first build up the ciphersuite which is group | random_function | | ||
74 | * prf | ||
75 | -- | ||
76 | 1.9.1 | ||
77 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch deleted file mode 100644 index e108a931c0..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch +++ /dev/null | |||
@@ -1,47 +0,0 @@ | |||
1 | From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001 | ||
2 | From: Jouni Malinen <jouni@qca.qualcomm.com> | ||
3 | Date: Tue, 7 Apr 2015 11:32:11 +0300 | ||
4 | Subject: [PATCH] P2P: Validate SSID element length before copying it | ||
5 | (CVE-2015-1863) | ||
6 | |||
7 | This fixes a possible memcpy overflow for P2P dev->oper_ssid in | ||
8 | p2p_add_device(). The length provided by the peer device (0..255 bytes) | ||
9 | was used without proper bounds checking and that could have resulted in | ||
10 | arbitrary data of up to 223 bytes being written beyond the end of the | ||
11 | dev->oper_ssid[] array (of which about 150 bytes would be beyond the | ||
12 | heap allocation) when processing a corrupted management frame for P2P | ||
13 | peer discovery purposes. | ||
14 | |||
15 | This could result in corrupted state in heap, unexpected program | ||
16 | behavior due to corrupted P2P peer device information, denial of service | ||
17 | due to process crash, exposure of memory contents during GO Negotiation, | ||
18 | and potentially arbitrary code execution. | ||
19 | |||
20 | Thanks to Google security team for reporting this issue and smart | ||
21 | hardware research group of Alibaba security team for discovering it. | ||
22 | |||
23 | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> | ||
24 | |||
25 | Upstream-Status: Backport | ||
26 | |||
27 | Signed-off-by: Yue Tao <yue.tao@windriver.com> | ||
28 | |||
29 | --- | ||
30 | src/p2p/p2p.c | 1 + | ||
31 | 1 file changed, 1 insertion(+) | ||
32 | |||
33 | diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c | ||
34 | index f584fae..a45fe73 100644 | ||
35 | --- a/src/p2p/p2p.c | ||
36 | +++ b/src/p2p/p2p.c | ||
37 | @@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq, | ||
38 | if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0) | ||
39 | os_memcpy(dev->interface_addr, addr, ETH_ALEN); | ||
40 | if (msg.ssid && | ||
41 | + msg.ssid[1] <= sizeof(dev->oper_ssid) && | ||
42 | (msg.ssid[1] != P2P_WILDCARD_SSID_LEN || | ||
43 | os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN) | ||
44 | != 0)) { | ||
45 | -- | ||
46 | 1.7.9.5 | ||
47 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch deleted file mode 100644 index 2568ea1124..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch +++ /dev/null | |||
@@ -1,53 +0,0 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Tue, 28 Apr 2015 17:08:33 +0300 | ||
8 | Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser | ||
9 | |||
10 | strtoul() return value may end up overflowing the int h->chunk_size and | ||
11 | resulting in a negative value to be stored as the chunk_size. This could | ||
12 | result in the following memcpy operation using a very large length | ||
13 | argument which would result in a buffer overflow and segmentation fault. | ||
14 | |||
15 | This could have been used to cause a denial service by any device that | ||
16 | has been authorized for network access (either wireless or wired). This | ||
17 | would affect both the WPS UPnP functionality in a WPS AP (hostapd with | ||
18 | upnp_iface parameter set in the configuration) and WPS ER | ||
19 | (wpa_supplicant with WPS_ER_START control interface command used). | ||
20 | |||
21 | Validate the parsed chunk length value to avoid this. In addition to | ||
22 | rejecting negative values, we can also reject chunk size that would be | ||
23 | larger than the maximum configured body length. | ||
24 | |||
25 | Thanks to Kostya Kortchinsky of Google security team for discovering and | ||
26 | reporting this issue. | ||
27 | |||
28 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
29 | --- | ||
30 | src/wps/httpread.c | 7 +++++++ | ||
31 | 1 file changed, 7 insertions(+) | ||
32 | |||
33 | diff --git a/src/wps/httpread.c b/src/wps/httpread.c | ||
34 | index 2f08f37..d2855e3 100644 | ||
35 | --- a/src/wps/httpread.c | ||
36 | +++ b/src/wps/httpread.c | ||
37 | @@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx) | ||
38 | if (!isxdigit(*cbp)) | ||
39 | goto bad; | ||
40 | h->chunk_size = strtoul(cbp, NULL, 16); | ||
41 | + if (h->chunk_size < 0 || | ||
42 | + h->chunk_size > h->max_bytes) { | ||
43 | + wpa_printf(MSG_DEBUG, | ||
44 | + "httpread: Invalid chunk size %d", | ||
45 | + h->chunk_size); | ||
46 | + goto bad; | ||
47 | + } | ||
48 | /* throw away chunk header | ||
49 | * so we have only real data | ||
50 | */ | ||
51 | -- | ||
52 | 1.9.1 | ||
53 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch deleted file mode 100644 index c477c2f93c..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch +++ /dev/null | |||
@@ -1,70 +0,0 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From e28a58be26184c2a23f80b410e0997ef1bd5d578 Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Fri, 1 May 2015 16:40:44 +0300 | ||
8 | Subject: [PATCH 2/5] EAP-pwd server: Fix payload length validation for Commit | ||
9 | and Confirm | ||
10 | |||
11 | The length of the received Commit and Confirm message payloads was not | ||
12 | checked before reading them. This could result in a buffer read | ||
13 | overflow when processing an invalid message. | ||
14 | |||
15 | Fix this by verifying that the payload is of expected length before | ||
16 | processing it. In addition, enforce correct state transition sequence to | ||
17 | make sure there is no unexpected behavior if receiving a Commit/Confirm | ||
18 | message before the previous exchanges have been completed. | ||
19 | |||
20 | Thanks to Kostya Kortchinsky of Google security team for discovering and | ||
21 | reporting this issue. | ||
22 | |||
23 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
24 | --- | ||
25 | src/eap_server/eap_server_pwd.c | 19 +++++++++++++++++++ | ||
26 | 1 file changed, 19 insertions(+) | ||
27 | |||
28 | diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c | ||
29 | index 66bd5d2..3189105 100644 | ||
30 | --- a/src/eap_server/eap_server_pwd.c | ||
31 | +++ b/src/eap_server/eap_server_pwd.c | ||
32 | @@ -656,9 +656,21 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, | ||
33 | BIGNUM *x = NULL, *y = NULL, *cofactor = NULL; | ||
34 | EC_POINT *K = NULL, *point = NULL; | ||
35 | int res = 0; | ||
36 | + size_t prime_len, order_len; | ||
37 | |||
38 | wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response"); | ||
39 | |||
40 | + prime_len = BN_num_bytes(data->grp->prime); | ||
41 | + order_len = BN_num_bytes(data->grp->order); | ||
42 | + | ||
43 | + if (payload_len != 2 * prime_len + order_len) { | ||
44 | + wpa_printf(MSG_INFO, | ||
45 | + "EAP-pwd: Unexpected Commit payload length %u (expected %u)", | ||
46 | + (unsigned int) payload_len, | ||
47 | + (unsigned int) (2 * prime_len + order_len)); | ||
48 | + goto fin; | ||
49 | + } | ||
50 | + | ||
51 | if (((data->peer_scalar = BN_new()) == NULL) || | ||
52 | ((data->k = BN_new()) == NULL) || | ||
53 | ((cofactor = BN_new()) == NULL) || | ||
54 | @@ -774,6 +786,13 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, | ||
55 | u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; | ||
56 | int offset; | ||
57 | |||
58 | + if (payload_len != SHA256_MAC_LEN) { | ||
59 | + wpa_printf(MSG_INFO, | ||
60 | + "EAP-pwd: Unexpected Confirm payload length %u (expected %u)", | ||
61 | + (unsigned int) payload_len, SHA256_MAC_LEN); | ||
62 | + goto fin; | ||
63 | + } | ||
64 | + | ||
65 | /* build up the ciphersuite: group | random_function | prf */ | ||
66 | grp = htons(data->group_num); | ||
67 | ptr = (u8 *) &cs; | ||
68 | -- | ||
69 | 1.9.1 | ||
70 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch deleted file mode 100644 index e46ce436e1..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch +++ /dev/null | |||
@@ -1,56 +0,0 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From 477c74395acd0123340457ba6f15ab345d42016e Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Sat, 2 May 2015 19:23:04 +0300 | ||
8 | Subject: [PATCH 3/5] EAP-pwd peer: Fix Total-Length parsing for fragment | ||
9 | reassembly | ||
10 | |||
11 | The remaining number of bytes in the message could be smaller than the | ||
12 | Total-Length field size, so the length needs to be explicitly checked | ||
13 | prior to reading the field and decrementing the len variable. This could | ||
14 | have resulted in the remaining length becoming negative and interpreted | ||
15 | as a huge positive integer. | ||
16 | |||
17 | In addition, check that there is no already started fragment in progress | ||
18 | before allocating a new buffer for reassembling fragments. This avoid a | ||
19 | potential memory leak when processing invalid message. | ||
20 | |||
21 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
22 | --- | ||
23 | src/eap_peer/eap_pwd.c | 12 ++++++++++++ | ||
24 | 1 file changed, 12 insertions(+) | ||
25 | |||
26 | diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c | ||
27 | index a629437..1d2079b 100644 | ||
28 | --- a/src/eap_peer/eap_pwd.c | ||
29 | +++ b/src/eap_peer/eap_pwd.c | ||
30 | @@ -866,11 +866,23 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, | ||
31 | * if it's the first fragment there'll be a length field | ||
32 | */ | ||
33 | if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { | ||
34 | + if (len < 2) { | ||
35 | + wpa_printf(MSG_DEBUG, | ||
36 | + "EAP-pwd: Frame too short to contain Total-Length field"); | ||
37 | + ret->ignore = TRUE; | ||
38 | + return NULL; | ||
39 | + } | ||
40 | tot_len = WPA_GET_BE16(pos); | ||
41 | wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose " | ||
42 | "total length = %d", tot_len); | ||
43 | if (tot_len > 15000) | ||
44 | return NULL; | ||
45 | + if (data->inbuf) { | ||
46 | + wpa_printf(MSG_DEBUG, | ||
47 | + "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); | ||
48 | + ret->ignore = TRUE; | ||
49 | + return NULL; | ||
50 | + } | ||
51 | data->inbuf = wpabuf_alloc(tot_len); | ||
52 | if (data->inbuf == NULL) { | ||
53 | wpa_printf(MSG_INFO, "Out of memory to buffer " | ||
54 | -- | ||
55 | 1.9.1 | ||
56 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch deleted file mode 100644 index a4c02b4745..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch +++ /dev/null | |||
@@ -1,54 +0,0 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Sat, 2 May 2015 19:26:06 +0300 | ||
8 | Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment | ||
9 | reassembly | ||
10 | |||
11 | The remaining number of bytes in the message could be smaller than the | ||
12 | Total-Length field size, so the length needs to be explicitly checked | ||
13 | prior to reading the field and decrementing the len variable. This could | ||
14 | have resulted in the remaining length becoming negative and interpreted | ||
15 | as a huge positive integer. | ||
16 | |||
17 | In addition, check that there is no already started fragment in progress | ||
18 | before allocating a new buffer for reassembling fragments. This avoid a | ||
19 | potential memory leak when processing invalid message. | ||
20 | |||
21 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
22 | --- | ||
23 | src/eap_server/eap_server_pwd.c | 10 ++++++++++ | ||
24 | 1 file changed, 10 insertions(+) | ||
25 | |||
26 | diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c | ||
27 | index 3189105..2bfc3c2 100644 | ||
28 | --- a/src/eap_server/eap_server_pwd.c | ||
29 | +++ b/src/eap_server/eap_server_pwd.c | ||
30 | @@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, | ||
31 | * the first fragment has a total length | ||
32 | */ | ||
33 | if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { | ||
34 | + if (len < 2) { | ||
35 | + wpa_printf(MSG_DEBUG, | ||
36 | + "EAP-pwd: Frame too short to contain Total-Length field"); | ||
37 | + return; | ||
38 | + } | ||
39 | tot_len = WPA_GET_BE16(pos); | ||
40 | wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total " | ||
41 | "length = %d", tot_len); | ||
42 | if (tot_len > 15000) | ||
43 | return; | ||
44 | + if (data->inbuf) { | ||
45 | + wpa_printf(MSG_DEBUG, | ||
46 | + "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); | ||
47 | + return; | ||
48 | + } | ||
49 | data->inbuf = wpabuf_alloc(tot_len); | ||
50 | if (data->inbuf == NULL) { | ||
51 | wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to " | ||
52 | -- | ||
53 | 1.9.1 | ||
54 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch deleted file mode 100644 index 4073600732..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch +++ /dev/null | |||
@@ -1,36 +0,0 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From 28a069a545b06b99eb55ad53f63f2c99e65a98f6 Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Sat, 2 May 2015 19:26:28 +0300 | ||
8 | Subject: [PATCH 5/5] EAP-pwd peer: Fix asymmetric fragmentation behavior | ||
9 | |||
10 | The L (Length) and M (More) flags needs to be cleared before deciding | ||
11 | whether the locally generated response requires fragmentation. This | ||
12 | fixes an issue where these flags from the server could have been invalid | ||
13 | for the following message. In some cases, this could have resulted in | ||
14 | triggering the wpabuf security check that would terminate the process | ||
15 | due to invalid buffer allocation. | ||
16 | |||
17 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
18 | --- | ||
19 | src/eap_peer/eap_pwd.c | 1 + | ||
20 | 1 file changed, 1 insertion(+) | ||
21 | |||
22 | diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c | ||
23 | index 1d2079b..e58b13a 100644 | ||
24 | --- a/src/eap_peer/eap_pwd.c | ||
25 | +++ b/src/eap_peer/eap_pwd.c | ||
26 | @@ -968,6 +968,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, | ||
27 | /* | ||
28 | * we have output! Do we need to fragment it? | ||
29 | */ | ||
30 | + lm_exch = EAP_PWD_GET_EXCHANGE(lm_exch); | ||
31 | len = wpabuf_len(data->outbuf); | ||
32 | if ((len + EAP_PWD_HDR_SIZE) > data->mtu) { | ||
33 | resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, data->mtu, | ||
34 | -- | ||
35 | 1.9.1 | ||
36 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb index a124cf21d9..21263771ed 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb | |||
@@ -1,11 +1,11 @@ | |||
1 | SUMMARY = "Client for Wi-Fi Protected Access (WPA)" | 1 | SUMMARY = "Client for Wi-Fi Protected Access (WPA)" |
2 | HOMEPAGE = "http://hostap.epitest.fi/wpa_supplicant/" | 2 | HOMEPAGE = "http://w1.fi/wpa_supplicant/" |
3 | BUGTRACKER = "http://hostap.epitest.fi/bugz/" | 3 | BUGTRACKER = "http://w1.fi/security/" |
4 | SECTION = "network" | 4 | SECTION = "network" |
5 | LICENSE = "BSD" | 5 | LICENSE = "BSD" |
6 | LIC_FILES_CHKSUM = "file://COPYING;md5=36b27801447e0662ee0138d17fe93880 \ | 6 | LIC_FILES_CHKSUM = "file://COPYING;md5=36b27801447e0662ee0138d17fe93880 \ |
7 | file://README;beginline=1;endline=56;md5=7f393579f8b109fe91f3b9765d26c7d3 \ | 7 | file://README;beginline=1;endline=56;md5=7f393579f8b109fe91f3b9765d26c7d3 \ |
8 | file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=3430fda79f2ba1dd545f0b3c4d6e4d24 " | 8 | file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=3430fda79f2ba1dd545f0b3c4d6e4d24" |
9 | DEPENDS = "dbus libnl libgcrypt" | 9 | DEPENDS = "dbus libnl libgcrypt" |
10 | RRECOMMENDS_${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli" | 10 | RRECOMMENDS_${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli" |
11 | 11 | ||
@@ -18,23 +18,15 @@ inherit systemd | |||
18 | SYSTEMD_SERVICE_${PN} = "wpa_supplicant.service wpa_supplicant-nl80211@.service wpa_supplicant-wired@.service" | 18 | SYSTEMD_SERVICE_${PN} = "wpa_supplicant.service wpa_supplicant-nl80211@.service wpa_supplicant-wired@.service" |
19 | SYSTEMD_AUTO_ENABLE = "disable" | 19 | SYSTEMD_AUTO_ENABLE = "disable" |
20 | 20 | ||
21 | SRC_URI = "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz \ | 21 | SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ |
22 | file://defconfig \ | 22 | file://defconfig \ |
23 | file://wpa-supplicant.sh \ | 23 | file://wpa-supplicant.sh \ |
24 | file://wpa_supplicant.conf \ | 24 | file://wpa_supplicant.conf \ |
25 | file://wpa_supplicant.conf-sane \ | 25 | file://wpa_supplicant.conf-sane \ |
26 | file://99_wpa_supplicant \ | 26 | file://99_wpa_supplicant \ |
27 | file://0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch \ | ||
28 | file://0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch \ | ||
29 | file://0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch \ | ||
30 | file://0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch \ | ||
31 | file://0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch \ | ||
32 | file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch \ | ||
33 | file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch \ | ||
34 | file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \ | ||
35 | " | 27 | " |
36 | SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d" | 28 | SRC_URI[md5sum] = "96ff75c3a514f1f324560a2376f13110" |
37 | SRC_URI[sha256sum] = "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122" | 29 | SRC_URI[sha256sum] = "cce55bae483b364eae55c35ba567c279be442ed8bab5b80a3c7fb0d057b9b316" |
38 | 30 | ||
39 | S = "${WORKDIR}/wpa_supplicant-${PV}" | 31 | S = "${WORKDIR}/wpa_supplicant-${PV}" |
40 | 32 | ||