From 012ca02e177cd375173388d3047d5be547f13359 Mon Sep 17 00:00:00 2001 From: Fan Xin Date: Thu, 19 Nov 2015 19:46:47 +0900 Subject: wpa-supplicant: upgrade to 2.5 wpa-supplicant: upgrade to 2.5 1. upgrade to 2.5 2. remove eight patches since they have been applied in 2.5 3. update SRC_URI, HOMEPAGE and BUGTRACKER to use w1.fi instead (From OE-Core rev: 80af821d1240a1fc2b32379b75801571db562657) Signed-off-by: Fan Xin Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- ...ver-Fix-Total-Length-parsing-for-fragment.patch | 54 ---------------------- 1 file changed, 54 deletions(-) delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch') diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch deleted file mode 100644 index a4c02b4745..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch +++ /dev/null @@ -1,54 +0,0 @@ -Upstream-Status: Backport - -Signed-off-by: Fan Xin - -From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Sat, 2 May 2015 19:26:06 +0300 -Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment - reassembly - -The remaining number of bytes in the message could be smaller than the -Total-Length field size, so the length needs to be explicitly checked -prior to reading the field and decrementing the len variable. This could -have resulted in the remaining length becoming negative and interpreted -as a huge positive integer. - -In addition, check that there is no already started fragment in progress -before allocating a new buffer for reassembling fragments. This avoid a -potential memory leak when processing invalid message. - -Signed-off-by: Jouni Malinen ---- - src/eap_server/eap_server_pwd.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c -index 3189105..2bfc3c2 100644 ---- a/src/eap_server/eap_server_pwd.c -+++ b/src/eap_server/eap_server_pwd.c -@@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, - * the first fragment has a total length - */ - if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { -+ if (len < 2) { -+ wpa_printf(MSG_DEBUG, -+ "EAP-pwd: Frame too short to contain Total-Length field"); -+ return; -+ } - tot_len = WPA_GET_BE16(pos); - wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total " - "length = %d", tot_len); - if (tot_len > 15000) - return; -+ if (data->inbuf) { -+ wpa_printf(MSG_DEBUG, -+ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); -+ return; -+ } - data->inbuf = wpabuf_alloc(tot_len); - if (data->inbuf == NULL) { - wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to " --- -1.9.1 - -- cgit v1.2.3-54-g00ecf