From bd16f667df73cd693e6994f892b7e422433e9744642d4dda37bf52ef2c7e3f18 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= <ismail@i10z.com>
Date: Fri, 24 Apr 2015 10:21:08 +0000
Subject: [PATCH] Accepting request 299026 from home:elvigia:branches:hardware

- 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
  Fix CVE-2015-1863, memcpy overflow.
- wpa_supplicant-alloc_size.patch: annotate two wrappers
  with attribute alloc_size, which may help warning us of
  bugs such as the above.

OBS-URL: https://build.opensuse.org/request/show/299026
OBS-URL: https://build.opensuse.org/package/show/hardware/wpa_supplicant?expand=0&rev=52
---
 ...D-element-length-before-copying-it-C.patch | 42 +++++++++++++++++++
 wpa_supplicant-alloc_size.patch               | 20 +++++++++
 wpa_supplicant.changes                        |  9 ++++
 wpa_supplicant.spec                           |  5 ++-
 4 files changed, 75 insertions(+), 1 deletion(-)
 create mode 100644 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
 create mode 100644 wpa_supplicant-alloc_size.patch

diff --git a/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch b/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
new file mode 100644
index 0000000..ccb2d2e
--- /dev/null
+++ b/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
@@ -0,0 +1,42 @@
+From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Tue, 7 Apr 2015 11:32:11 +0300
+Subject: [PATCH] P2P: Validate SSID element length before copying it
+ (CVE-2015-1863)
+
+This fixes a possible memcpy overflow for P2P dev->oper_ssid in
+p2p_add_device(). The length provided by the peer device (0..255 bytes)
+was used without proper bounds checking and that could have resulted in
+arbitrary data of up to 223 bytes being written beyond the end of the
+dev->oper_ssid[] array (of which about 150 bytes would be beyond the
+heap allocation) when processing a corrupted management frame for P2P
+peer discovery purposes.
+
+This could result in corrupted state in heap, unexpected program
+behavior due to corrupted P2P peer device information, denial of service
+due to process crash, exposure of memory contents during GO Negotiation,
+and potentially arbitrary code execution.
+
+Thanks to Google security team for reporting this issue and smart
+hardware research group of Alibaba security team for discovering it.
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+---
+ src/p2p/p2p.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
+index f584fae..a45fe73 100644
+--- a/src/p2p/p2p.c
++++ b/src/p2p/p2p.c
+@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq,
+ 	if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)
+ 		os_memcpy(dev->interface_addr, addr, ETH_ALEN);
+ 	if (msg.ssid &&
++	    msg.ssid[1] <= sizeof(dev->oper_ssid) &&
+ 	    (msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
+ 	     os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
+ 	     != 0)) {
+-- 
+1.9.1
+
diff --git a/wpa_supplicant-alloc_size.patch b/wpa_supplicant-alloc_size.patch
new file mode 100644
index 0000000..e19d1fb
--- /dev/null
+++ b/wpa_supplicant-alloc_size.patch
@@ -0,0 +1,20 @@
+--- wpa_supplicant-2.4.orig/src/utils/os.h
++++ wpa_supplicant-2.4/src/utils/os.h
+@@ -253,7 +253,7 @@ int os_file_exists(const char *fname);
+  *
+  * Caller is responsible for freeing the returned buffer with os_free().
+  */
+-void * os_zalloc(size_t size);
++void * os_zalloc(size_t size) __attribute((malloc, alloc_size(1)));
+ 
+ /**
+  * os_calloc - Allocate and zero memory for an array
+@@ -267,6 +267,8 @@ void * os_zalloc(size_t size);
+  *
+  * Caller is responsible for freeing the returned buffer with os_free().
+  */
++
++__attribute((malloc, alloc_size(1,2)))
+ static inline void * os_calloc(size_t nmemb, size_t size)
+ {
+ 	if (size && nmemb > (~(size_t) 0) / size)
diff --git a/wpa_supplicant.changes b/wpa_supplicant.changes
index a8786d0..710da00 100644
--- a/wpa_supplicant.changes
+++ b/wpa_supplicant.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Apr 23 19:49:28 UTC 2015 - crrodriguez@opensuse.org
+
+- 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch 
+  Fix CVE-2015-1863, memcpy overflow.
+- wpa_supplicant-alloc_size.patch: annotate two wrappers
+  with attribute alloc_size, which may help warning us of
+  bugs such as the above.
+
 -------------------------------------------------------------------
 Fri Apr 10 23:05:28 UTC 2015 - stefan.bruens@rwth-aachen.de
 
diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec
index b4bae4e..17c0e7b 100644
--- a/wpa_supplicant.spec
+++ b/wpa_supplicant.spec
@@ -47,6 +47,8 @@ Patch1:         wpa_supplicant-flush-debug-output.patch
 # wpa_supplicant-sigusr1-changes-debuglevel.patch won't go upstream as it
 # is not portable
 Patch2:         wpa_supplicant-sigusr1-changes-debuglevel.patch
+Patch3:         0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
+Patch4:         wpa_supplicant-alloc_size.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Requires:       logrotate
 %if ! %{defined _rundir}
@@ -84,7 +86,8 @@ rm -rf wpa_supplicant-%{version}/patches
 cp %{SOURCE1} wpa_supplicant/.config
 %patch1 -p0
 %patch2 -p1
-
+%patch3 -p1
+%patch4 -p1
 %build
 cd wpa_supplicant
 CFLAGS="$RPM_OPT_FLAGS" make V=1 %{?_smp_mflags}