diff options
| author | Felix Fietkau <nbd@openwrt.org> | 2016-01-10 17:03:37 +0000 |
|---|---|---|
| committer | Felix Fietkau <nbd@openwrt.org> | 2016-01-10 17:03:37 +0000 |
| commit | 6c40914c0c637ee27ab513e734ef63e5a532cdb1 (patch) | |
| tree | 6f122326eb20bcf29a07fb4b613cd007a724f20b /package/network/services/hostapd/patches/013-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch | |
| parent | a960fcef292c805b1d7a8fe8a9f6995ca7f4931b (diff) | |
| download | master-31e0f0ae-6c40914c0c637ee27ab513e734ef63e5a532cdb1.tar.gz master-31e0f0ae-6c40914c0c637ee27ab513e734ef63e5a532cdb1.tar.bz2 master-31e0f0ae-6c40914c0c637ee27ab513e734ef63e5a532cdb1.zip | |
hostapd: fix post v2.4 security issues
- WPS: Fix HTTP chunked transfer encoding parser (CVE-2015-4141)
- EAP-pwd peer: Fix payload length validation for Commit and Confirm
(CVE-2015-4143)
- EAP-pwd server: Fix payload length validation for Commit and Confirm
(CVE-2015-4143)
- EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
(CVE-2015-4144, CVE-2015-4145)
- EAP-pwd server: Fix Total-Length parsing for fragment reassembly
(CVE-2015-4144, CVE-2015-4145)
- EAP-pwd peer: Fix asymmetric fragmentation behavior (CVE-2015-4146)
- NFC: Fix payload length validation in NDEF record parser (CVE-2015-8041)
- WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use
(CVE-2015-5310)
- EAP-pwd peer: Fix last fragment length validation (CVE-2015-5315)
- EAP-pwd server: Fix last fragment length validation (CVE-2015-5314)
- EAP-pwd peer: Fix error path for unexpected Confirm message (CVE-2015-5316)
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
SVN-Revision: 48185
Diffstat (limited to 'package/network/services/hostapd/patches/013-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch')
| -rw-r--r-- | package/network/services/hostapd/patches/013-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/package/network/services/hostapd/patches/013-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch b/package/network/services/hostapd/patches/013-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch new file mode 100644 index 0000000000..3088f6a6dc --- /dev/null +++ b/package/network/services/hostapd/patches/013-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch @@ -0,0 +1,34 @@ +From 95577884ca4fa76be91344ff7a8d5d1e6dc3da61 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sun, 1 Nov 2015 19:35:44 +0200 +Subject: [PATCH] EAP-pwd peer: Fix error path for unexpected Confirm message + +If the Confirm message is received from the server before the Identity +exchange has been completed, the group has not yet been determined and +data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange() +did not take this corner case into account and could end up +dereferencing a NULL pointer and terminating the process if invalid +message sequence is received. (CVE-2015-5316) + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/eap_peer/eap_pwd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c +index 75ceef1..892b590 100644 +--- a/src/eap_peer/eap_pwd.c ++++ b/src/eap_peer/eap_pwd.c +@@ -774,7 +774,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, + wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN); + + fin: +- bin_clear_free(cruft, BN_num_bytes(data->grp->prime)); ++ if (data->grp) ++ bin_clear_free(cruft, BN_num_bytes(data->grp->prime)); + BN_clear_free(x); + BN_clear_free(y); + if (data->outbuf == NULL) { +-- +1.9.1 + |