diff options
| author |   Bjarke Istrup Pedersen <gurligebis@gentoo.org> | 2015-07-14 19:42:58 +0000 |
|---|---|---|
| committer | Bjarke Istrup Pedersen <gurligebis@gentoo.org> | 2015-07-14 19:42:58 +0000 |
| commit | 7f42a355461fd6f35953b7de24f02ae4468bbcee (patch) | |
| tree | 92380fd2a5a79a1a8b055e22d0326b4f501b418c /net-wireless/wpa_supplicant/files | |
| parent | Adding security fixes wrt. bug #554862 (diff) | |
| download | historical-7f42a355461fd6f35953b7de24f02ae4468bbcee.tar.gz historical-7f42a355461fd6f35953b7de24f02ae4468bbcee.tar.bz2 historical-7f42a355461fd6f35953b7de24f02ae4468bbcee.zip | |
Adding security fixes wrt. bug #554860
Package-Manager: portage-2.2.20/cvs/Linux x86_64
Manifest-Sign-Key: 0x15AE484C
Diffstat (limited to 'net-wireless/wpa_supplicant/files')
2 files changed, 90 insertions, 0 deletions
diff --git a/net-wireless/wpa_supplicant/files/2015-5/0001-NFC-Avoid-misaligned-read-of-an-NDEF-field.patch b/net-wireless/wpa_supplicant/files/2015-5/0001-NFC-Avoid-misaligned-read-of-an-NDEF-field.patch new file mode 100644 index 000000000000..d03eb484fc28 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/2015-5/0001-NFC-Avoid-misaligned-read-of-an-NDEF-field.patch @@ -0,0 +1,29 @@ +From fc880b11ed70ff9dcf8be48621f75d354cc5094d Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Tue, 7 Jul 2015 15:33:55 +0300 +Subject: [PATCH] NFC: Avoid misaligned read of an NDEF field + +The 32-bit version of payload length field may not be 32-bit aligned in +the message buffer, so use WPA_GET_BE32() to read it instead of ntohl(). + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/wps/ndef.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/wps/ndef.c b/src/wps/ndef.c +index 8d1ce1e..5604b0a 100644 +--- a/src/wps/ndef.c ++++ b/src/wps/ndef.c +@@ -47,7 +47,7 @@ static int ndef_parse_record(const u8 *data, u32 size, + } else { + if (size < 6) + return -1; +- record->payload_length = ntohl(*(u32 *)pos); ++ record->payload_length = WPA_GET_BE32(pos); + pos += sizeof(u32); + } + +-- +1.7.9.5 + diff --git a/net-wireless/wpa_supplicant/files/2015-5/0002-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch b/net-wireless/wpa_supplicant/files/2015-5/0002-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch new file mode 100644 index 000000000000..1f624c8dad46 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/2015-5/0002-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch @@ -0,0 +1,61 @@ +From df9079e72760ceb7ebe7fb11538200c516bdd886 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Tue, 7 Jul 2015 21:57:28 +0300 +Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser + +It was possible for the 32-bit record->total_length value to end up +wrapping around due to integer overflow if the longer form of payload +length field is used and record->payload_length gets a value close to +2^32. This could result in ndef_parse_record() accepting a too large +payload length value and the record type filter reading up to about 20 +bytes beyond the end of the buffer and potentially killing the process. +This could also result in an attempt to allocate close to 2^32 bytes of +heap memory and if that were to succeed, a buffer read overflow of the +same length which would most likely result in the process termination. +In case of record->total_length ending up getting the value 0, there +would be no buffer read overflow, but record parsing would result in an +infinite loop in ndef_parse_records(). + +Any of these error cases could potentially be used for denial of service +attacks over NFC by using a malformed NDEF record on an NFC Tag or +sending them during NFC connection handover if the application providing +the NDEF message to hostapd/wpa_supplicant did no validation of the +received records. While such validation is likely done in the NFC stack +that needs to parse the NFC messages before further processing, +hostapd/wpa_supplicant better be prepared for any data being included +here. + +Fix this by validating record->payload_length value in a way that +detects integer overflow. (CID 122668) + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/wps/ndef.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/wps/ndef.c b/src/wps/ndef.c +index 5604b0a..50d018f 100644 +--- a/src/wps/ndef.c ++++ b/src/wps/ndef.c +@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size, + if (size < 6) + return -1; + record->payload_length = WPA_GET_BE32(pos); ++ if (record->payload_length > size - 6) ++ return -1; + pos += sizeof(u32); + } + +@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size, + pos += record->payload_length; + + record->total_length = pos - data; +- if (record->total_length > size) ++ if (record->total_length > size || ++ record->total_length < record->payload_length) + return -1; + return 0; + } +-- +1.9.1 + |