diff options
| author | Baruch Siach <baruch@tkos.co.il> | 2015-09-29 10:24:56 +0300 |
|---|---|---|
| committer | Peter Korsgaard <peter@korsgaard.com> | 2015-09-30 00:24:43 +0200 |
| commit | 1639a7ebfa99f5b52dc7d2d8db94d826f4bac35f (patch) | |
| tree | c4a164d4048652bb73878f65f629a2da58bffa9f /package/hostapd/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch | |
| parent | 9ba132b371e0df7892fc73542e73edeb080ac73f (diff) | |
| download | buildroot-1639a7ebfa99f5b52dc7d2d8db94d826f4bac35f.tar.gz buildroot-1639a7ebfa99f5b52dc7d2d8db94d826f4bac35f.zip | |
hostapd: bump to version 2.5
Remove upstream patches.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'package/hostapd/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch')
| -rw-r--r-- | package/hostapd/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch | 50 |
1 files changed, 0 insertions, 50 deletions
diff --git a/package/hostapd/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch b/package/hostapd/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch deleted file mode 100644 index d9dccf9116..0000000000 --- a/package/hostapd/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j@w1.fi> -Date: Tue, 28 Apr 2015 17:08:33 +0300 -Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser - -strtoul() return value may end up overflowing the int h->chunk_size and -resulting in a negative value to be stored as the chunk_size. This could -result in the following memcpy operation using a very large length -argument which would result in a buffer overflow and segmentation fault. - -This could have been used to cause a denial service by any device that -has been authorized for network access (either wireless or wired). This -would affect both the WPS UPnP functionality in a WPS AP (hostapd with -upnp_iface parameter set in the configuration) and WPS ER -(wpa_supplicant with WPS_ER_START control interface command used). - -Validate the parsed chunk length value to avoid this. In addition to -rejecting negative values, we can also reject chunk size that would be -larger than the maximum configured body length. - -Thanks to Kostya Kortchinsky of Google security team for discovering and -reporting this issue. - -Signed-off-by: Jouni Malinen <j@w1.fi> -Signed-off-by: Baruch Siach <baruch@tkos.co.il> ---- - src/wps/httpread.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/wps/httpread.c b/src/wps/httpread.c -index 2f08f37275c0..d2855e32fd0f 100644 ---- a/src/wps/httpread.c -+++ b/src/wps/httpread.c -@@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx) - if (!isxdigit(*cbp)) - goto bad; - h->chunk_size = strtoul(cbp, NULL, 16); -+ if (h->chunk_size < 0 || -+ h->chunk_size > h->max_bytes) { -+ wpa_printf(MSG_DEBUG, -+ "httpread: Invalid chunk size %d", -+ h->chunk_size); -+ goto bad; -+ } - /* throw away chunk header - * so we have only real data - */ --- -2.1.4 - |
