diff options
author | Felix Fietkau <nbd@openwrt.org> | 2016-01-10 17:03:37 +0000 |
---|---|---|
committer | Felix Fietkau <nbd@openwrt.org> | 2016-01-10 17:03:37 +0000 |
commit | 6c40914c0c637ee27ab513e734ef63e5a532cdb1 (patch) | |
tree | 6f122326eb20bcf29a07fb4b613cd007a724f20b /package/network/services/hostapd/patches/011-EAP-pwd-peer-Fix-last-fragment-length-validation.patch | |
parent | a960fcef292c805b1d7a8fe8a9f6995ca7f4931b (diff) | |
download | mtk-20170518-6c40914c0c637ee27ab513e734ef63e5a532cdb1.zip mtk-20170518-6c40914c0c637ee27ab513e734ef63e5a532cdb1.tar.gz mtk-20170518-6c40914c0c637ee27ab513e734ef63e5a532cdb1.tar.bz2 |
hostapd: fix post v2.4 security issues
- WPS: Fix HTTP chunked transfer encoding parser (CVE-2015-4141)
- EAP-pwd peer: Fix payload length validation for Commit and Confirm
(CVE-2015-4143)
- EAP-pwd server: Fix payload length validation for Commit and Confirm
(CVE-2015-4143)
- EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
(CVE-2015-4144, CVE-2015-4145)
- EAP-pwd server: Fix Total-Length parsing for fragment reassembly
(CVE-2015-4144, CVE-2015-4145)
- EAP-pwd peer: Fix asymmetric fragmentation behavior (CVE-2015-4146)
- NFC: Fix payload length validation in NDEF record parser (CVE-2015-8041)
- WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use
(CVE-2015-5310)
- EAP-pwd peer: Fix last fragment length validation (CVE-2015-5315)
- EAP-pwd server: Fix last fragment length validation (CVE-2015-5314)
- EAP-pwd peer: Fix error path for unexpected Confirm message (CVE-2015-5316)
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
SVN-Revision: 48185
Diffstat (limited to 'package/network/services/hostapd/patches/011-EAP-pwd-peer-Fix-last-fragment-length-validation.patch')
-rw-r--r-- | package/network/services/hostapd/patches/011-EAP-pwd-peer-Fix-last-fragment-length-validation.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/package/network/services/hostapd/patches/011-EAP-pwd-peer-Fix-last-fragment-length-validation.patch b/package/network/services/hostapd/patches/011-EAP-pwd-peer-Fix-last-fragment-length-validation.patch new file mode 100644 index 0000000..82c2639 --- /dev/null +++ b/package/network/services/hostapd/patches/011-EAP-pwd-peer-Fix-last-fragment-length-validation.patch @@ -0,0 +1,54 @@ +From 8057821706784608b828e769ccefbced95591e50 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sun, 1 Nov 2015 18:18:17 +0200 +Subject: [PATCH] EAP-pwd peer: Fix last fragment length validation + +All but the last fragment had their length checked against the remaining +room in the reassembly buffer. This allowed a suitably constructed last +fragment frame to try to add extra data that would go beyond the buffer. +The length validation code in wpabuf_put_data() prevents an actual +buffer write overflow from occurring, but this results in process +termination. (CVE-2015-5315) + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/eap_peer/eap_pwd.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c +index 1f78544..75ceef1 100644 +--- a/src/eap_peer/eap_pwd.c ++++ b/src/eap_peer/eap_pwd.c +@@ -903,7 +903,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, + /* + * buffer and ACK the fragment + */ +- if (EAP_PWD_GET_MORE_BIT(lm_exch)) { ++ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) { + data->in_frag_pos += len; + if (data->in_frag_pos > wpabuf_size(data->inbuf)) { + wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack " +@@ -916,7 +916,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, + return NULL; + } + wpabuf_put_data(data->inbuf, pos, len); +- ++ } ++ if (EAP_PWD_GET_MORE_BIT(lm_exch)) { + resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, + EAP_PWD_HDR_SIZE, + EAP_CODE_RESPONSE, eap_get_id(reqData)); +@@ -930,10 +931,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, + * we're buffering and this is the last fragment + */ + if (data->in_frag_pos) { +- wpabuf_put_data(data->inbuf, pos, len); + wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes", + (int) len); +- data->in_frag_pos += len; + pos = wpabuf_head_u8(data->inbuf); + len = data->in_frag_pos; + } +-- +1.9.1 + |