diff options
| author | Baruch Siach <baruch@tkos.co.il> | 2015-05-04 21:04:40 +0300 |
|---|---|---|
| committer | Peter Korsgaard <peter@korsgaard.com> | 2015-05-04 20:51:41 +0200 |
| commit | 39a4a79d8aad8e5bf754f360efd15442894dcaf1 (patch) | |
| tree | 0a51ab36486cf0919f08161b8c651da3df903022 /package/wpa_supplicant/0002-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch | |
| parent | 476c6c6e093f1986e65cb922316c02491cd9b753 (diff) | |
| download | buildroot-39a4a79d8aad8e5bf754f360efd15442894dcaf1.tar.gz buildroot-39a4a79d8aad8e5bf754f360efd15442894dcaf1.zip | |
wpa_supplicant: apply upstream security patches
This commit adds patches for three different upstream security advisories. No
CVE numbers stated.
http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt
http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt
http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'package/wpa_supplicant/0002-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch')
| -rw-r--r-- | package/wpa_supplicant/0002-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/package/wpa_supplicant/0002-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch b/package/wpa_supplicant/0002-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch new file mode 100644 index 0000000000..d9dccf9116 --- /dev/null +++ b/package/wpa_supplicant/0002-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch @@ -0,0 +1,50 @@ +From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Tue, 28 Apr 2015 17:08:33 +0300 +Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser + +strtoul() return value may end up overflowing the int h->chunk_size and +resulting in a negative value to be stored as the chunk_size. This could +result in the following memcpy operation using a very large length +argument which would result in a buffer overflow and segmentation fault. + +This could have been used to cause a denial service by any device that +has been authorized for network access (either wireless or wired). This +would affect both the WPS UPnP functionality in a WPS AP (hostapd with +upnp_iface parameter set in the configuration) and WPS ER +(wpa_supplicant with WPS_ER_START control interface command used). + +Validate the parsed chunk length value to avoid this. In addition to +rejecting negative values, we can also reject chunk size that would be +larger than the maximum configured body length. + +Thanks to Kostya Kortchinsky of Google security team for discovering and +reporting this issue. + +Signed-off-by: Jouni Malinen <j@w1.fi> +Signed-off-by: Baruch Siach <baruch@tkos.co.il> +--- + src/wps/httpread.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/wps/httpread.c b/src/wps/httpread.c +index 2f08f37275c0..d2855e32fd0f 100644 +--- a/src/wps/httpread.c ++++ b/src/wps/httpread.c +@@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx) + if (!isxdigit(*cbp)) + goto bad; + h->chunk_size = strtoul(cbp, NULL, 16); ++ if (h->chunk_size < 0 || ++ h->chunk_size > h->max_bytes) { ++ wpa_printf(MSG_DEBUG, ++ "httpread: Invalid chunk size %d", ++ h->chunk_size); ++ goto bad; ++ } + /* throw away chunk header + * so we have only real data + */ +-- +2.1.4 + |
