Commit 8caec895 authored by Leonardo Arena's avatar Leonardo Arena

main/wpa_supplicant: security fix (CVE-2019-11555)

Fixes #10417
parent d3d30100
From fe76f487e28bdc61940f304f153a954cf36935ea Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Wed, 17 Apr 2019 01:55:32 +0300
Subject: [PATCH 1/3] EAP-pwd server: Fix reassembly buffer handling
data->inbuf allocation might fail and if that were to happen, the next
fragment in the exchange could have resulted in NULL pointer
dereference. Unexpected fragment with more bit might also be able to
trigger this. Fix that by explicitly checking for data->inbuf to be
available before using it.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/eap_server/eap_server_pwd.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index 11bef55..38e2af8 100644
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -912,6 +912,12 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
* the first and all intermediate fragments have the M bit set
*/
if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
+ if (!data->inbuf) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-pwd: No buffer for reassembly");
+ eap_pwd_state(data, FAILURE);
+ return;
+ }
if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
"attack detected! (%d+%d > %d)",
@@ -932,7 +938,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
* last fragment won't have the M bit set (but we're obviously
* buffering fragments so that's how we know it's the last)
*/
- if (data->in_frag_pos) {
+ if (data->in_frag_pos && data->inbuf) {
pos = wpabuf_head_u8(data->inbuf);
len = data->in_frag_pos;
wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
--
2.7.4
From d2d1a324ce937628e4d9d9999fe113819b7d4478 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Wed, 17 Apr 2019 02:21:20 +0300
Subject: [PATCH 3/3] EAP-pwd peer: Fix reassembly buffer handling
Unexpected fragment might result in data->inbuf not being allocated
before processing and that could have resulted in NULL pointer
dereference. Fix that by explicitly checking for data->inbuf to be
available before using it.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/eap_peer/eap_pwd.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index 46894a5..76fcad4 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -932,6 +932,13 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
* buffer and ACK the fragment
*/
if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
+ if (!data->inbuf) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-pwd: No buffer for reassembly");
+ ret->methodState = METHOD_DONE;
+ ret->decision = DECISION_FAIL;
+ return NULL;
+ }
data->in_frag_pos += len;
if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
@@ -958,7 +965,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
/*
* we're buffering and this is the last fragment
*/
- if (data->in_frag_pos) {
+ if (data->in_frag_pos && data->inbuf) {
wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
(int) len);
pos = wpabuf_head_u8(data->inbuf);
--
2.7.4
......@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=wpa_supplicant
pkgver=2.6
pkgrel=9
pkgrel=10
pkgdesc="A utility providing key negotiation for WPA wireless networks"
url="https://w1.fi/wpa_supplicant/"
arch="all"
......@@ -19,6 +19,8 @@ source="http://w1.fi/releases/$pkgname-$pkgver.tar.gz
rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
0014-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
0015-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
wpa_supplicant.initd
wpa_supplicant.confd
......@@ -29,6 +31,8 @@ source="http://w1.fi/releases/$pkgname-$pkgver.tar.gz
wpa_cli.sh"
# secfixes:
# 2.6-r10:
# - CVE-2019-11555
# 2.6-r9:
# - CVE-2018-14526
# 2.6-r7:
......@@ -97,6 +101,8 @@ a6382d8e84b4829be33c46bf2f4c6f3232c9d924a4547a21dfe023bf5be8ee1c635920295f52be28
111e655cfbb3a86e3792040e0ea375490d31c42c9d43cbe911290d54df5f4db437e4c8ad0e937c51729dcefeb0db0989b8ab55b9523398683abd08ebfec18076 rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
fc84edd8b30305cc42053c872554098f3f077292ec980ed6a442f37884087ff2f055738fd55977ed792bef1887dcc8c4626586465d78dd0258edb83dcd50a65a rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
c275cb1a41901d3e5389ca301809baa16a73b40afdcd3a24b63b294e1b9e5eaead148b30742273deecbdd03c6b387a6b3da74de2ae6c49a499b5dd326ff4da9f rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
7038044885871271ac724790663d5c0a428db83b41a691747be7a618ae893670a98f3ba52a297937249084296b0e9bcfd791edaa3928548efddb259e1a15f46c 0014-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
99c734fe395b4231aa6a097a08a00e5dab65ea9c37a7c83b1904a37c39307d9e7e95485734b0d483687126f4100c75f8a7b1420f0a2edcbfe07b454a14548822 0015-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
11eed22f6e793f40c788d586c715deecae03c421d11761b7b4a376660bce812c54cc6f353c7d4d5da9c455aeffd778baefb9e76d380027a729574a756e54ddcc wpa_supplicant.initd
29103161ec2b9631fca9e8d9a97fafd60ffac3fe78cf613b834395ddcaf8be1e253c22e060d7d9f9b974b2d7ce794caa932a2125e29f6494b75bce475f7b30e1 wpa_supplicant.confd
e98edc1ecec91335d515c50cac8816e3f6eef139aba574bcf0c6c20c131ef0de40aa657a33d07af09ab28245471a09cb6b3e29b306e48f46d335a0c47a0a56c4 libressl.patch
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment