From 7d663e9c473c5e5a4ce6b09f3a0743f623faa956 Mon Sep 17 00:00:00 2001 From: Hongxu Jia Date: Fri, 13 Nov 2015 19:08:06 +0800 Subject: wpa-supplicant: Fix CVE-2015-8041 Backport patch from http://w1.fi/security/2015-5/ and rebase for wpa-supplicant 2.4 (From OE-Core rev: 12520d7f729fe3d07c2f94b813994718edb2d987) Signed-off-by: Hongxu Jia Not needed in master since the upgrade to 2.5 Signed-off-by: Joshua Lock Signed-off-by: Richard Purdie --- .../wpa-supplicant/wpa-supplicant.inc | 1 + ...load-length-validation-in-NDEF-record-par.patch | 64 ++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc index 93a2aa8b74..4340741b5b 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc @@ -33,6 +33,7 @@ SRC_URI = "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch \ file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch \ file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \ + file://0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch \ " SRC_URI[md5sum] = "f2ed8fef72cf63d8d446a2d0a6da630a" SRC_URI[sha256sum] = "eaaa5bf3055270e521b2dff64f2d203ec8040f71958b8588269a82c00c9d7b6a" diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch new file mode 100644 index 0000000000..bc1d1e5d26 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch @@ -0,0 +1,64 @@ +From c13401c723a039971bcd91b3856d76c6041b15f2 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Fri, 13 Nov 2015 05:54:18 -0500 +Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser + +It was possible for the 32-bit record->total_length value to end up +wrapping around due to integer overflow if the longer form of payload +length field is used and record->payload_length gets a value close to +2^32. This could result in ndef_parse_record() accepting a too large +payload length value and the record type filter reading up to about 20 +bytes beyond the end of the buffer and potentially killing the process. +This could also result in an attempt to allocate close to 2^32 bytes of +heap memory and if that were to succeed, a buffer read overflow of the +same length which would most likely result in the process termination. +In case of record->total_length ending up getting the value 0, there +would be no buffer read overflow, but record parsing would result in an +infinite loop in ndef_parse_records(). + +Any of these error cases could potentially be used for denial of service +attacks over NFC by using a malformed NDEF record on an NFC Tag or +sending them during NFC connection handover if the application providing +the NDEF message to hostapd/wpa_supplicant did no validation of the +received records. While such validation is likely done in the NFC stack +that needs to parse the NFC messages before further processing, +hostapd/wpa_supplicant better be prepared for any data being included +here. + +Fix this by validating record->payload_length value in a way that +detects integer overflow. (CID 122668) + +Signed-off-by: Jouni Malinen + +Upstream-Status: Backport [from http://w1.fi/security/2015-5/] +Signed-off-by: Hongxu Jia +--- + src/wps/ndef.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/wps/ndef.c b/src/wps/ndef.c +index d45dfc8..f7f729b 100644 +--- a/src/wps/ndef.c ++++ b/src/wps/ndef.c +@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size, + if (size < 6) + return -1; + record->payload_length = ntohl(*(u32 *)pos); ++ if (record->payload_length > size - 6) ++ return -1; + pos += sizeof(u32); + } + +@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size, + pos += record->payload_length; + + record->total_length = pos - data; +- if (record->total_length > size) ++ if (record->total_length > size || ++ record->total_length < record->payload_length) + return -1; + return 0; + } +-- +1.9.1 + -- cgit v1.2.3-54-g00ecf