diff options
Diffstat (limited to 'meta')
2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc index 93a2aa8b74..4340741b5b 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc | |||
@@ -33,6 +33,7 @@ SRC_URI = "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz \ | |||
33 | file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch \ | 33 | file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch \ |
34 | file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch \ | 34 | file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch \ |
35 | file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \ | 35 | file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \ |
36 | file://0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch \ | ||
36 | " | 37 | " |
37 | SRC_URI[md5sum] = "f2ed8fef72cf63d8d446a2d0a6da630a" | 38 | SRC_URI[md5sum] = "f2ed8fef72cf63d8d446a2d0a6da630a" |
38 | SRC_URI[sha256sum] = "eaaa5bf3055270e521b2dff64f2d203ec8040f71958b8588269a82c00c9d7b6a" | 39 | SRC_URI[sha256sum] = "eaaa5bf3055270e521b2dff64f2d203ec8040f71958b8588269a82c00c9d7b6a" |
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch new file mode 100644 index 0000000000..bc1d1e5d26 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From c13401c723a039971bcd91b3856d76c6041b15f2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jouni Malinen <j@w1.fi> | ||
3 | Date: Fri, 13 Nov 2015 05:54:18 -0500 | ||
4 | Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser | ||
5 | |||
6 | It was possible for the 32-bit record->total_length value to end up | ||
7 | wrapping around due to integer overflow if the longer form of payload | ||
8 | length field is used and record->payload_length gets a value close to | ||
9 | 2^32. This could result in ndef_parse_record() accepting a too large | ||
10 | payload length value and the record type filter reading up to about 20 | ||
11 | bytes beyond the end of the buffer and potentially killing the process. | ||
12 | This could also result in an attempt to allocate close to 2^32 bytes of | ||
13 | heap memory and if that were to succeed, a buffer read overflow of the | ||
14 | same length which would most likely result in the process termination. | ||
15 | In case of record->total_length ending up getting the value 0, there | ||
16 | would be no buffer read overflow, but record parsing would result in an | ||
17 | infinite loop in ndef_parse_records(). | ||
18 | |||
19 | Any of these error cases could potentially be used for denial of service | ||
20 | attacks over NFC by using a malformed NDEF record on an NFC Tag or | ||
21 | sending them during NFC connection handover if the application providing | ||
22 | the NDEF message to hostapd/wpa_supplicant did no validation of the | ||
23 | received records. While such validation is likely done in the NFC stack | ||
24 | that needs to parse the NFC messages before further processing, | ||
25 | hostapd/wpa_supplicant better be prepared for any data being included | ||
26 | here. | ||
27 | |||
28 | Fix this by validating record->payload_length value in a way that | ||
29 | detects integer overflow. (CID 122668) | ||
30 | |||
31 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
32 | |||
33 | Upstream-Status: Backport [from http://w1.fi/security/2015-5/] | ||
34 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
35 | --- | ||
36 | src/wps/ndef.c | 5 ++++- | ||
37 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
38 | |||
39 | diff --git a/src/wps/ndef.c b/src/wps/ndef.c | ||
40 | index d45dfc8..f7f729b 100644 | ||
41 | --- a/src/wps/ndef.c | ||
42 | +++ b/src/wps/ndef.c | ||
43 | @@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size, | ||
44 | if (size < 6) | ||
45 | return -1; | ||
46 | record->payload_length = ntohl(*(u32 *)pos); | ||
47 | + if (record->payload_length > size - 6) | ||
48 | + return -1; | ||
49 | pos += sizeof(u32); | ||
50 | } | ||
51 | |||
52 | @@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size, | ||
53 | pos += record->payload_length; | ||
54 | |||
55 | record->total_length = pos - data; | ||
56 | - if (record->total_length > size) | ||
57 | + if (record->total_length > size || | ||
58 | + record->total_length < record->payload_length) | ||
59 | return -1; | ||
60 | return 0; | ||
61 | } | ||
62 | -- | ||
63 | 1.9.1 | ||
64 | |||