aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHongxu Jia <hongxu.jia@windriver.com>2015-11-13 19:08:06 +0800
committerJoshua Lock <joshua.g.lock@intel.com>2016-02-29 15:05:16 +0000
commit12520d7f729fe3d07c2f94b813994718edb2d987 (patch)
tree9edbd92913801476c3466ebdcc0c4f1eeb316470
parent0c4bdd61acbc1fa1b9bfb167d8eaf90c8bccc25c (diff)
downloadopenembedded-core-contrib-12520d7f729fe3d07c2f94b813994718edb2d987.tar.gz
wpa-supplicant: Fix CVE-2015-8041
Backport patch from http://w1.fi/security/2015-5/ and rebase for wpa-supplicant 2.4 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Not needed in master since the upgrade to 2.5 Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc1
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch64
2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc
index 93a2aa8b74..4340741b5b 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant.inc
@@ -33,6 +33,7 @@ SRC_URI = "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz \
file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch \
file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch \
file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \
+ file://0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch \
"
SRC_URI[md5sum] = "f2ed8fef72cf63d8d446a2d0a6da630a"
SRC_URI[sha256sum] = "eaaa5bf3055270e521b2dff64f2d203ec8040f71958b8588269a82c00c9d7b6a"
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
new file mode 100644
index 0000000000..bc1d1e5d26
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
@@ -0,0 +1,64 @@
+From c13401c723a039971bcd91b3856d76c6041b15f2 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 13 Nov 2015 05:54:18 -0500
+Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser
+
+It was possible for the 32-bit record->total_length value to end up
+wrapping around due to integer overflow if the longer form of payload
+length field is used and record->payload_length gets a value close to
+2^32. This could result in ndef_parse_record() accepting a too large
+payload length value and the record type filter reading up to about 20
+bytes beyond the end of the buffer and potentially killing the process.
+This could also result in an attempt to allocate close to 2^32 bytes of
+heap memory and if that were to succeed, a buffer read overflow of the
+same length which would most likely result in the process termination.
+In case of record->total_length ending up getting the value 0, there
+would be no buffer read overflow, but record parsing would result in an
+infinite loop in ndef_parse_records().
+
+Any of these error cases could potentially be used for denial of service
+attacks over NFC by using a malformed NDEF record on an NFC Tag or
+sending them during NFC connection handover if the application providing
+the NDEF message to hostapd/wpa_supplicant did no validation of the
+received records. While such validation is likely done in the NFC stack
+that needs to parse the NFC messages before further processing,
+hostapd/wpa_supplicant better be prepared for any data being included
+here.
+
+Fix this by validating record->payload_length value in a way that
+detects integer overflow. (CID 122668)
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+Upstream-Status: Backport [from http://w1.fi/security/2015-5/]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ src/wps/ndef.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/wps/ndef.c b/src/wps/ndef.c
+index d45dfc8..f7f729b 100644
+--- a/src/wps/ndef.c
++++ b/src/wps/ndef.c
+@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
+ if (size < 6)
+ return -1;
+ record->payload_length = ntohl(*(u32 *)pos);
++ if (record->payload_length > size - 6)
++ return -1;
+ pos += sizeof(u32);
+ }
+
+@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
+ pos += record->payload_length;
+
+ record->total_length = pos - data;
+- if (record->total_length > size)
++ if (record->total_length > size ||
++ record->total_length < record->payload_length)
+ return -1;
+ return 0;
+ }
+--
+1.9.1
+