Commit 71e80d98 authored by Leonardo Arena's avatar Leonardo Arena

main/hostapd: security fix (CVE-2019-11555)

Fixes #10412
parent 8caec895
From fe76f487e28bdc61940f304f153a954cf36935ea Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Wed, 17 Apr 2019 01:55:32 +0300
Subject: [PATCH 1/3] EAP-pwd server: Fix reassembly buffer handling
data->inbuf allocation might fail and if that were to happen, the next
fragment in the exchange could have resulted in NULL pointer
dereference. Unexpected fragment with more bit might also be able to
trigger this. Fix that by explicitly checking for data->inbuf to be
available before using it.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/eap_server/eap_server_pwd.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index 11bef55..38e2af8 100644
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -912,6 +912,12 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
* the first and all intermediate fragments have the M bit set
*/
if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
+ if (!data->inbuf) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-pwd: No buffer for reassembly");
+ eap_pwd_state(data, FAILURE);
+ return;
+ }
if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
"attack detected! (%d+%d > %d)",
@@ -932,7 +938,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
* last fragment won't have the M bit set (but we're obviously
* buffering fragments so that's how we know it's the last)
*/
- if (data->in_frag_pos) {
+ if (data->in_frag_pos && data->inbuf) {
pos = wpabuf_head_u8(data->inbuf);
len = data->in_frag_pos;
wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
--
2.7.4
From d2d1a324ce937628e4d9d9999fe113819b7d4478 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Wed, 17 Apr 2019 02:21:20 +0300
Subject: [PATCH 3/3] EAP-pwd peer: Fix reassembly buffer handling
Unexpected fragment might result in data->inbuf not being allocated
before processing and that could have resulted in NULL pointer
dereference. Fix that by explicitly checking for data->inbuf to be
available before using it.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/eap_peer/eap_pwd.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index 46894a5..76fcad4 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -932,6 +932,13 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
* buffer and ACK the fragment
*/
if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
+ if (!data->inbuf) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-pwd: No buffer for reassembly");
+ ret->methodState = METHOD_DONE;
+ ret->decision = DECISION_FAIL;
+ return NULL;
+ }
data->in_frag_pos += len;
if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
@@ -958,7 +965,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
/*
* we're buffering and this is the last fragment
*/
- if (data->in_frag_pos) {
+ if (data->in_frag_pos && data->inbuf) {
wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
(int) len);
pos = wpabuf_head_u8(data->inbuf);
--
2.7.4
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=hostapd
pkgver=2.6
pkgrel=3
pkgrel=4
pkgdesc="daemon for wireless software access points"
url="http://hostap.epitest.fi/hostapd/"
arch="all"
......@@ -17,8 +17,9 @@ patches="CVE-2012-4445.patch
0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
0006-TDLS-Reject-TPK-TK-reconfiguration.patch
0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
0009-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
0010-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
"
source="http://hostap.epitest.fi/releases/$pkgname-$pkgver.tar.gz
$patches
$pkgname.initd
......@@ -27,6 +28,8 @@ options="!check" #no testsuite
builddir="$srcdir"/$pkgname-$pkgver/hostapd
# secfixes:
# 2.6-r4:
# - CVE-2019-11555
# 2.6-r2:
# - CVE-2017-13077
# - CVE-2017-13078
......@@ -106,5 +109,7 @@ a6382d8e84b4829be33c46bf2f4c6f3232c9d924a4547a21dfe023bf5be8ee1c635920295f52be28
8707a123cd78149dfee9f5bd791761ee1eca605ef96580167044c2339c896920cf0e030b184a5afa9e310f5755afb30bef8ebd4522fc52753f3fbd6acead2cdf 0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
37d050b2e4a3598484912667d8b2705fbe84c5c562267f900d42b0c7b606fb1fed09ddca8b80e2131768baa8f3690aab6ba7a232dee6ff1e66150fdb8816c927 0006-TDLS-Reject-TPK-TK-reconfiguration.patch
fc84edd8b30305cc42053c872554098f3f077292ec980ed6a442f37884087ff2f055738fd55977ed792bef1887dcc8c4626586465d78dd0258edb83dcd50a65a 0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
7038044885871271ac724790663d5c0a428db83b41a691747be7a618ae893670a98f3ba52a297937249084296b0e9bcfd791edaa3928548efddb259e1a15f46c 0009-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
99c734fe395b4231aa6a097a08a00e5dab65ea9c37a7c83b1904a37c39307d9e7e95485734b0d483687126f4100c75f8a7b1420f0a2edcbfe07b454a14548822 0010-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
b54b7c6aa17e5cb86a9b354a516eb2dbefb544df18471339c61d82776de447011a2ac290bea1e6c8beae4b6cebefafb8174683ea42fb773e9e8fe6c679f33ba3 hostapd.initd
0882263bbd7c0b05bf51f51d66e11a23a0b8ca7da2a3b8a30166d2c5f044c0c134e6bccb1d02c9e81819ca8fb0c0fb55c7121a08fe7233ccaa73ff8ab9a238fe hostapd.confd"
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment