diff options
Diffstat (limited to 'package/network/services/hostapd/patches/063-0010-SAE-Fix-confirm-message-validation-in-error-cases.patch')
-rw-r--r-- | package/network/services/hostapd/patches/063-0010-SAE-Fix-confirm-message-validation-in-error-cases.patch | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/package/network/services/hostapd/patches/063-0010-SAE-Fix-confirm-message-validation-in-error-cases.patch b/package/network/services/hostapd/patches/063-0010-SAE-Fix-confirm-message-validation-in-error-cases.patch deleted file mode 100644 index 3a3658e640..0000000000 --- a/package/network/services/hostapd/patches/063-0010-SAE-Fix-confirm-message-validation-in-error-cases.patch +++ /dev/null @@ -1,52 +0,0 @@ -From ac8fa9ef198640086cf2ce7c94673be2b6a018a0 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Tue, 5 Mar 2019 23:43:25 +0200 -Subject: [PATCH 10/14] SAE: Fix confirm message validation in error cases - -Explicitly verify that own and peer commit scalar/element are available -when trying to check SAE confirm message. It could have been possible to -hit a NULL pointer dereference if the peer element could not have been -parsed. (CVE-2019-9496) - -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> ---- - src/common/sae.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - ---- a/src/common/sae.c -+++ b/src/common/sae.c -@@ -1464,23 +1464,31 @@ int sae_check_confirm(struct sae_data *s - - wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data)); - -- if (sae->tmp == NULL) { -+ if (!sae->tmp || !sae->peer_commit_scalar || -+ !sae->tmp->own_commit_scalar) { - wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available"); - return -1; - } - -- if (sae->tmp->ec) -+ if (sae->tmp->ec) { -+ if (!sae->tmp->peer_commit_element_ecc || -+ !sae->tmp->own_commit_element_ecc) -+ return -1; - sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar, - sae->tmp->peer_commit_element_ecc, - sae->tmp->own_commit_scalar, - sae->tmp->own_commit_element_ecc, - verifier); -- else -+ } else { -+ if (!sae->tmp->peer_commit_element_ffc || -+ !sae->tmp->own_commit_element_ffc) -+ return -1; - sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar, - sae->tmp->peer_commit_element_ffc, - sae->tmp->own_commit_scalar, - sae->tmp->own_commit_element_ffc, - verifier); -+ } - - if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) { - wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch"); |