diff options
author | Felix Fietkau <nbd@openwrt.org> | 2016-01-28 17:19:13 +0000 |
---|---|---|
committer | Felix Fietkau <nbd@openwrt.org> | 2016-01-28 17:19:13 +0000 |
commit | 1f13cddc10692d266e8dd29fe4e4607080f13122 (patch) | |
tree | f14fda99b7cd3fc4c55a1bb40a19da299d1c7cd2 /package/network/services/hostapd/patches/005-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch | |
parent | d4faf99fee188013eb52bc86d5582874e24362dc (diff) | |
download | master-187ad058-1f13cddc10692d266e8dd29fe4e4607080f13122.tar.gz master-187ad058-1f13cddc10692d266e8dd29fe4e4607080f13122.tar.bz2 master-187ad058-1f13cddc10692d266e8dd29fe4e4607080f13122.zip |
hostapd: update to version 2016-01-15
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@48527 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'package/network/services/hostapd/patches/005-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch')
-rw-r--r-- | package/network/services/hostapd/patches/005-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch | 66 |
1 files changed, 0 insertions, 66 deletions
diff --git a/package/network/services/hostapd/patches/005-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch b/package/network/services/hostapd/patches/005-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch deleted file mode 100644 index 5dca20b277..0000000000 --- a/package/network/services/hostapd/patches/005-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch +++ /dev/null @@ -1,66 +0,0 @@ -From e28a58be26184c2a23f80b410e0997ef1bd5d578 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j@w1.fi> -Date: Fri, 1 May 2015 16:40:44 +0300 -Subject: [PATCH 2/5] EAP-pwd server: Fix payload length validation for Commit - and Confirm - -The length of the received Commit and Confirm message payloads was not -checked before reading them. This could result in a buffer read -overflow when processing an invalid message. - -Fix this by verifying that the payload is of expected length before -processing it. In addition, enforce correct state transition sequence to -make sure there is no unexpected behavior if receiving a Commit/Confirm -message before the previous exchanges have been completed. - -Thanks to Kostya Kortchinsky of Google security team for discovering and -reporting this issue. - -Signed-off-by: Jouni Malinen <j@w1.fi> ---- - src/eap_server/eap_server_pwd.c | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c -index 66bd5d2..3189105 100644 ---- a/src/eap_server/eap_server_pwd.c -+++ b/src/eap_server/eap_server_pwd.c -@@ -656,9 +656,21 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, - BIGNUM *x = NULL, *y = NULL, *cofactor = NULL; - EC_POINT *K = NULL, *point = NULL; - int res = 0; -+ size_t prime_len, order_len; - - wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response"); - -+ prime_len = BN_num_bytes(data->grp->prime); -+ order_len = BN_num_bytes(data->grp->order); -+ -+ if (payload_len != 2 * prime_len + order_len) { -+ wpa_printf(MSG_INFO, -+ "EAP-pwd: Unexpected Commit payload length %u (expected %u)", -+ (unsigned int) payload_len, -+ (unsigned int) (2 * prime_len + order_len)); -+ goto fin; -+ } -+ - if (((data->peer_scalar = BN_new()) == NULL) || - ((data->k = BN_new()) == NULL) || - ((cofactor = BN_new()) == NULL) || -@@ -774,6 +786,13 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, - u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; - int offset; - -+ if (payload_len != SHA256_MAC_LEN) { -+ wpa_printf(MSG_INFO, -+ "EAP-pwd: Unexpected Confirm payload length %u (expected %u)", -+ (unsigned int) payload_len, SHA256_MAC_LEN); -+ goto fin; -+ } -+ - /* build up the ciphersuite: group | random_function | prf */ - grp = htons(data->group_num); - ptr = (u8 *) &cs; --- -1.9.1 - |