Commit 15604368 authored by Leonardo Arena's avatar Leonardo Arena

main/hostapd: security fix (CVE-2019-9496)

Fixes #10333
parent cdc0c3d0
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=hostapd
pkgver=2.7
pkgrel=2
pkgrel=3
pkgdesc="daemon for wireless software access points"
url="http://hostap.epitest.fi/hostapd/"
arch="all"
......@@ -9,6 +9,7 @@ license="custom"
makedepends="openssl-dev libnl3-dev linux-headers"
subpackages="$pkgname-doc $pkgname-openrc"
patches="CVE-2012-4445.patch
CVE-2019-9496.patch
0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
"
......@@ -20,6 +21,8 @@ options="!check" #no testsuite
builddir="$srcdir"/$pkgname-$pkgver/hostapd
# secfixes:
# 2.7-r3:
# - CVE-2019-9496
# 2.7-r1:
# - CVE-2019-11555
# 2.7-r0:
......@@ -95,6 +98,7 @@ package() {
}
sha512sums="1c9a210dfffb951fb667be19aa44ad8c66dccd2aed26cdab939185923550e3c1998a678ebe6975e560e1b3385bff2098f1b2cb773452ba66fb35246fdd3eb2c1 hostapd-2.7.tar.gz
619acce84516dead1e03e5da71657ea4c4b6f3ca8271574409773aeb316cbddc88095b50320804f457f001f4f3fe83053e660c008d8409f59bb4d3bfe058b601 CVE-2012-4445.patch
90981a52d6cb2e91f67a9bc830d3db02da6fde4bea0cf512b22111da6c8ab151f5dd171a2f2e409d9ff75e388e72c2314dd023a98fdabf16248b11a950bde881 CVE-2019-9496.patch
7038044885871271ac724790663d5c0a428db83b41a691747be7a618ae893670a98f3ba52a297937249084296b0e9bcfd791edaa3928548efddb259e1a15f46c 0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
99c734fe395b4231aa6a097a08a00e5dab65ea9c37a7c83b1904a37c39307d9e7e95485734b0d483687126f4100c75f8a7b1420f0a2edcbfe07b454a14548822 0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
b54b7c6aa17e5cb86a9b354a516eb2dbefb544df18471339c61d82776de447011a2ac290bea1e6c8beae4b6cebefafb8174683ea42fb773e9e8fe6c679f33ba3 hostapd.initd
......
From ac8fa9ef198640086cf2ce7c94673be2b6a018a0 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Tue, 5 Mar 2019 23:43:25 +0200
Subject: SAE: Fix confirm message validation in error cases
Explicitly verify that own and peer commit scalar/element are available
when trying to check SAE confirm message. It could have been possible to
hit a NULL pointer dereference if the peer element could not have been
parsed. (CVE-2019-9496)
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/common/sae.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/src/common/sae.c b/src/common/sae.c
index eaf825d..5a50294 100644
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -1487,23 +1487,31 @@ int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data));
- if (sae->tmp == NULL) {
+ if (!sae->tmp || !sae->peer_commit_scalar ||
+ !sae->tmp->own_commit_scalar) {
wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available");
return -1;
}
- if (sae->tmp->ec)
+ if (sae->tmp->ec) {
+ if (!sae->tmp->peer_commit_element_ecc ||
+ !sae->tmp->own_commit_element_ecc)
+ return -1;
sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
sae->tmp->peer_commit_element_ecc,
sae->tmp->own_commit_scalar,
sae->tmp->own_commit_element_ecc,
verifier);
- else
+ } else {
+ if (!sae->tmp->peer_commit_element_ffc ||
+ !sae->tmp->own_commit_element_ffc)
+ return -1;
sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
sae->tmp->peer_commit_element_ffc,
sae->tmp->own_commit_scalar,
sae->tmp->own_commit_element_ffc,
verifier);
+ }
if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) {
wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");
--
cgit v0.12
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment