CVS commit: [netbsd-7] src/external/bsd/wpa/dist/src

To: source-changes%NetBSD.org@localhost
Subject: CVS commit: [netbsd-7] src/external/bsd/wpa/dist/src
From: "SAITOH Masanobu" <msaitoh%netbsd.org@localhost>
Date: Mon, 11 May 2015 04:51:51 +0000

Module Name:    src
Committed By:   msaitoh
Date:           Mon May 11 04:51:51 UTC 2015

Modified Files:
        src/external/bsd/wpa/dist/src/ap [netbsd-7]: wmm.c
        src/external/bsd/wpa/dist/src/eap_peer [netbsd-7]: eap_pwd.c
        src/external/bsd/wpa/dist/src/eap_server [netbsd-7]: eap_server_pwd.c
        src/external/bsd/wpa/dist/src/wps [netbsd-7]: httpread.c

Log Message:
Pull up following revision(s) (requested by christos in ticket #749):
        external/bsd/wpa/dist/src/ap/wmm.c: revision 1.2
        external/bsd/wpa/dist/src/wps/httpread.c: revision 1.2
        external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c: revision 1.2-1.3
        external/bsd/wpa/dist/src/eap_peer/eap_pwd.c: revision 1.2-1.4
- strtoul() return value may end up overflowing the int h->chunk_size and
  resulting in a negative value to be stored as the chunk_size. This could
  result in the following memcpy operation using a very large length
  argument which would result in a buffer overflow and segmentation fault.

  This could have been used to cause a denial service by any device that
  has been authorized for network access (either wireless or wired). This
  would affect both the WPS UPnP functionality in a WPS AP (hostapd with
  upnp_iface parameter set in the configuration) and WPS ER
  (wpa_supplicant with WPS_ER_START control interface command used).
  Validate the parsed chunk length value to avoid this. In addition to
  rejecting negative values, we can also reject chunk size that would be
  larger than the maximum configured body length.
  Thanks to Kostya Kortchinsky of Google security team for discovering and
  reporting this issue.

- The length of the WMM Action frame was not properly validated and the
  length of the information elements (int left) could end up being
  negative. This would result in reading significantly past the stack
  buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
  so, resulting in segmentation fault.

  This can result in an invalid frame being used for a denial of service
  attack (hostapd process killed) against an AP with a driver that uses
  hostapd for management frame processing (e.g., all mac80211-based
  drivers).

  Thanks to Kostya Kortchinsky of Google security team for discovering and
  reporting this issue.

- The length of the received Commit and Confirm message payloads was not
  checked before reading them. This could result in a buffer read
  overflow when processing an invalid message.

  Fix this by verifying that the payload is of expected length before
  processing it. In addition, enforce correct state transition sequence to
  make sure there is no unexpected behavior if receiving a Commit/Confirm
  message before the previous exchanges have been completed.

  Thanks to Kostya Kortchinsky of Google security team for discovering and
  reporting this issue.

- The remaining number of bytes in the message could be smaller than the
  Total-Length field size, so the length needs to be explicitly checked
  prior to reading the field and decrementing the len variable. This could
  have resulted in the remaining length becoming negative and interpreted
  as a huge positive integer.

  In addition, check that there is no already started fragment in progress
  before allocating a new buffer for reassembling fragments. This avoid a
  potential memory leak when processing invalid message.

- The L (Length) and M (More) flags needs to be cleared before deciding
  whether the locally generated response requires fragmentation. This
  fixes an issue where these flags from the server could have been invalid
  for the following message. In some cases, this could have resulted in
  triggering the wpabuf security check that would terminate the process
  due to invalid buffer allocation.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.3.4.1 -r1.1.1.3.4.2 \
    src/external/bsd/wpa/dist/src/ap/wmm.c
cvs rdiff -u -r1.1.1.2.4.1 -r1.1.1.2.4.2 \
    src/external/bsd/wpa/dist/src/eap_peer/eap_pwd.c
cvs rdiff -u -r1.1.1.2.4.1 -r1.1.1.2.4.2 \
    src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c
cvs rdiff -u -r1.1.1.2.4.1 -r1.1.1.2.4.2 \
    src/external/bsd/wpa/dist/src/wps/httpread.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: [netbsd-7] src/doc
Next by Date: CVS commit: [netbsd-7] src/doc
Previous by Thread: CVS commit: [netbsd-7] src/doc
Next by Thread: CVS commit: [netbsd-7] src/doc
Indexes:

Home | Main Index | Thread Index | Old Index