summaryrefslogtreecommitdiff
path: root/package/network/services/hostapd/patches/004-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@openwrt.org>2016-01-10 17:03:37 +0000
committerFelix Fietkau <nbd@openwrt.org>2016-01-10 17:03:37 +0000
commit6c40914c0c637ee27ab513e734ef63e5a532cdb1 (patch)
tree6f122326eb20bcf29a07fb4b613cd007a724f20b /package/network/services/hostapd/patches/004-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
parenta960fcef292c805b1d7a8fe8a9f6995ca7f4931b (diff)
downloadmtk-20170518-6c40914c0c637ee27ab513e734ef63e5a532cdb1.zip
mtk-20170518-6c40914c0c637ee27ab513e734ef63e5a532cdb1.tar.gz
mtk-20170518-6c40914c0c637ee27ab513e734ef63e5a532cdb1.tar.bz2
hostapd: fix post v2.4 security issues
- WPS: Fix HTTP chunked transfer encoding parser (CVE-2015-4141) - EAP-pwd peer: Fix payload length validation for Commit and Confirm (CVE-2015-4143) - EAP-pwd server: Fix payload length validation for Commit and Confirm (CVE-2015-4143) - EAP-pwd peer: Fix Total-Length parsing for fragment reassembly (CVE-2015-4144, CVE-2015-4145) - EAP-pwd server: Fix Total-Length parsing for fragment reassembly (CVE-2015-4144, CVE-2015-4145) - EAP-pwd peer: Fix asymmetric fragmentation behavior (CVE-2015-4146) - NFC: Fix payload length validation in NDEF record parser (CVE-2015-8041) - WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use (CVE-2015-5310) - EAP-pwd peer: Fix last fragment length validation (CVE-2015-5315) - EAP-pwd server: Fix last fragment length validation (CVE-2015-5314) - EAP-pwd peer: Fix error path for unexpected Confirm message (CVE-2015-5316) Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> SVN-Revision: 48185
Diffstat (limited to 'package/network/services/hostapd/patches/004-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch')
-rw-r--r--package/network/services/hostapd/patches/004-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch73
1 files changed, 73 insertions, 0 deletions
diff --git a/package/network/services/hostapd/patches/004-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch b/package/network/services/hostapd/patches/004-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
new file mode 100644
index 0000000..91627fb
--- /dev/null
+++ b/package/network/services/hostapd/patches/004-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
@@ -0,0 +1,73 @@
+From dd2f043c9c43d156494e33d7ce22db96e6ef42c7 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 1 May 2015 16:37:45 +0300
+Subject: [PATCH 1/5] EAP-pwd peer: Fix payload length validation for Commit
+ and Confirm
+
+The length of the received Commit and Confirm message payloads was not
+checked before reading them. This could result in a buffer read
+overflow when processing an invalid message.
+
+Fix this by verifying that the payload is of expected length before
+processing it. In addition, enforce correct state transition sequence to
+make sure there is no unexpected behavior if receiving a Commit/Confirm
+message before the previous exchanges have been completed.
+
+Thanks to Kostya Kortchinsky of Google security team for discovering and
+reporting this issue.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_peer/eap_pwd.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
+index f2b0926..a629437 100644
+--- a/src/eap_peer/eap_pwd.c
++++ b/src/eap_peer/eap_pwd.c
+@@ -355,6 +355,23 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+ BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL;
+ u16 offset;
+ u8 *ptr, *scalar = NULL, *element = NULL;
++ size_t prime_len, order_len;
++
++ if (data->state != PWD_Commit_Req) {
++ ret->ignore = TRUE;
++ goto fin;
++ }
++
++ prime_len = BN_num_bytes(data->grp->prime);
++ order_len = BN_num_bytes(data->grp->order);
++
++ if (payload_len != 2 * prime_len + order_len) {
++ wpa_printf(MSG_INFO,
++ "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
++ (unsigned int) payload_len,
++ (unsigned int) (2 * prime_len + order_len));
++ goto fin;
++ }
+
+ if (((data->private_value = BN_new()) == NULL) ||
+ ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) ||
+@@ -554,6 +571,18 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+ u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
+ int offset;
+
++ if (data->state != PWD_Confirm_Req) {
++ ret->ignore = TRUE;
++ goto fin;
++ }
++
++ if (payload_len != SHA256_MAC_LEN) {
++ wpa_printf(MSG_INFO,
++ "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
++ (unsigned int) payload_len, SHA256_MAC_LEN);
++ goto fin;
++ }
++
+ /*
+ * first build up the ciphersuite which is group | random_function |
+ * prf
+--
+1.9.1
+
generated by cgit v1.1 at 2024-07-14 19:34:33 +0000