gnu: wpa-supplicant: Fix WPS and P2P NFC NDEF record payload length validation.
* gnu/packages/patches/wpa-supplicant-2015-5-fix.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/admin.scm (wpa-supplicant-light)[source]: Add patch.
This commit is contained in:
parent
16de69c950
commit
9fb00f383d
@ -651,6 +651,7 @@ dist_patch_DATA = \
|
|||||||
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt3.patch \
|
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt3.patch \
|
||||||
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt4.patch \
|
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt4.patch \
|
||||||
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt5.patch \
|
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt5.patch \
|
||||||
|
gnu/packages/patches/wpa-supplicant-2015-5-fix.patch \
|
||||||
gnu/packages/patches/xf86-video-ark-remove-mibstore.patch \
|
gnu/packages/patches/xf86-video-ark-remove-mibstore.patch \
|
||||||
gnu/packages/patches/xf86-video-ast-remove-mibstore.patch \
|
gnu/packages/patches/xf86-video-ast-remove-mibstore.patch \
|
||||||
gnu/packages/patches/xf86-video-geode-glibc-2.20.patch \
|
gnu/packages/patches/xf86-video-geode-glibc-2.20.patch \
|
||||||
|
@ -705,7 +705,8 @@ commands and their arguments.")
|
|||||||
"wpa-supplicant-2015-4-fix-pt2.patch"
|
"wpa-supplicant-2015-4-fix-pt2.patch"
|
||||||
"wpa-supplicant-2015-4-fix-pt3.patch"
|
"wpa-supplicant-2015-4-fix-pt3.patch"
|
||||||
"wpa-supplicant-2015-4-fix-pt4.patch"
|
"wpa-supplicant-2015-4-fix-pt4.patch"
|
||||||
"wpa-supplicant-2015-4-fix-pt5.patch")))))
|
"wpa-supplicant-2015-4-fix-pt5.patch"
|
||||||
|
"wpa-supplicant-2015-5-fix.patch")))))
|
||||||
(build-system gnu-build-system)
|
(build-system gnu-build-system)
|
||||||
(arguments
|
(arguments
|
||||||
'(#:phases (alist-replace
|
'(#:phases (alist-replace
|
||||||
|
64
gnu/packages/patches/wpa-supplicant-2015-5-fix.patch
Normal file
64
gnu/packages/patches/wpa-supplicant-2015-5-fix.patch
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
Original patch copied from http://w1.fi/security/2015-5/
|
||||||
|
and then backported to wpa-supplicant-2.4.
|
||||||
|
|
||||||
|
From df9079e72760ceb7ebe7fb11538200c516bdd886 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jouni Malinen <j@w1.fi>
|
||||||
|
Date: Tue, 7 Jul 2015 21:57:28 +0300
|
||||||
|
Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser
|
||||||
|
|
||||||
|
It was possible for the 32-bit record->total_length value to end up
|
||||||
|
wrapping around due to integer overflow if the longer form of payload
|
||||||
|
length field is used and record->payload_length gets a value close to
|
||||||
|
2^32. This could result in ndef_parse_record() accepting a too large
|
||||||
|
payload length value and the record type filter reading up to about 20
|
||||||
|
bytes beyond the end of the buffer and potentially killing the process.
|
||||||
|
This could also result in an attempt to allocate close to 2^32 bytes of
|
||||||
|
heap memory and if that were to succeed, a buffer read overflow of the
|
||||||
|
same length which would most likely result in the process termination.
|
||||||
|
In case of record->total_length ending up getting the value 0, there
|
||||||
|
would be no buffer read overflow, but record parsing would result in an
|
||||||
|
infinite loop in ndef_parse_records().
|
||||||
|
|
||||||
|
Any of these error cases could potentially be used for denial of service
|
||||||
|
attacks over NFC by using a malformed NDEF record on an NFC Tag or
|
||||||
|
sending them during NFC connection handover if the application providing
|
||||||
|
the NDEF message to hostapd/wpa_supplicant did no validation of the
|
||||||
|
received records. While such validation is likely done in the NFC stack
|
||||||
|
that needs to parse the NFC messages before further processing,
|
||||||
|
hostapd/wpa_supplicant better be prepared for any data being included
|
||||||
|
here.
|
||||||
|
|
||||||
|
Fix this by validating record->payload_length value in a way that
|
||||||
|
detects integer overflow. (CID 122668)
|
||||||
|
|
||||||
|
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||||
|
---
|
||||||
|
src/wps/ndef.c | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/wps/ndef.c b/src/wps/ndef.c
|
||||||
|
index 5604b0a..50d018f 100644
|
||||||
|
--- a/src/wps/ndef.c
|
||||||
|
+++ b/src/wps/ndef.c
|
||||||
|
@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
|
||||||
|
if (size < 6)
|
||||||
|
return -1;
|
||||||
|
record->payload_length = ntohl(*(u32 *)pos);
|
||||||
|
+ if (record->payload_length > size - 6)
|
||||||
|
+ return -1;
|
||||||
|
pos += sizeof(u32);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
|
||||||
|
pos += record->payload_length;
|
||||||
|
|
||||||
|
record->total_length = pos - data;
|
||||||
|
- if (record->total_length > size)
|
||||||
|
+ if (record->total_length > size ||
|
||||||
|
+ record->total_length < record->payload_length)
|
||||||
|
return -1;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
1.9.1
|
||||||
|
|
Loading…
Reference in New Issue
Block a user