CVS commit: src/external/bsd/wpa/dist/wpa_supplicant

["Christos Zoulas" <christos%netbsd.org@localhost>]

Module Name:    src
Committed By:   christos
Date:           Tue Nov 10 18:39:40 UTC 2015

Modified Files:
        src/external/bsd/wpa/dist/wpa_supplicant: wnm_sta.c

Log Message:
Apply patch by Jouni Malinen. We don't have CONFIG_EAP_PWD enabled so we are
not affected:

EAP-pwd peer error path failure on unexpected Confirm message

Published: November 10, 2015
Identifier: CVE-2015-5316
Latest version available from: http://w1.fi/security/2015-8/

Vulnerability

A vulnerability was found in EAP-pwd peer implementation used in
wpa_supplicant. If an EAP-pwd Confirm message is received unexpectedly
before the Identity exchange, the error path processing ended up
dereferencing a NULL pointer and terminating the process.

For wpa_supplicant with EAP-pwd enabled in a network configuration
profile, this could allow a denial of service attack by an attacker
within radio range.

Vulnerable versions/configurations

wpa_supplicant v2.3-v2.5 with CONFIG_EAP_PWD=y in the build
configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network
profile at runtime.

Possible mitigation steps

- Merge the following commits and rebuild wpa_supplicant:

  EAP-pwd peer: Fix error path for unexpected Confirm message

  This patch is available from http://w1.fi/security/2015-8/

- Update to wpa_supplicant v2.6 or newer, once available

- Remove CONFIG_EAP_PWD=y from build configuration

- Disable EAP-pwd in runtime configuration


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.3 -r1.2 \
    src/external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.