rpm/wpa_supplicant
SHA256
1
0
Fork 0
forked from pool/wpa_supplicant
Code Pull Requests Activity
wpa_supplicant/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
Ismail Dönmez 81f0769d04 Accepting request 305848 from home:oertel:branches:hardware 
- added patch for bnc#930077
  0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
- added patch for bnc#930078
  0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
- added patches for bnc#930079
  0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
  0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
  0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
  0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
  0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch

OBS-URL: https://build.opensuse.org/request/show/305848
OBS-URL: https://build.opensuse.org/package/show/hardware/wpa_supplicant?expand=0&rev=56
2015-05-08 08:51:41 +00:00

67 lines
2.3 KiB
Diff
Raw Blame History

From e28a58be26184c2a23f80b410e0997ef1bd5d578 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Fri, 1 May 2015 16:40:44 +0300
Subject: [PATCH 2/5] EAP-pwd server: Fix payload length validation for Commit
and Confirm
The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.
Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/eap_server/eap_server_pwd.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index 66bd5d2..3189105 100644
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -656,9 +656,21 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
BIGNUM *x = NULL, *y = NULL, *cofactor = NULL;
EC_POINT *K = NULL, *point = NULL;
int res = 0;
+ size_t prime_len, order_len;
wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response");
+ prime_len = BN_num_bytes(data->grp->prime);
+ order_len = BN_num_bytes(data->grp->order);
+
+ if (payload_len != 2 * prime_len + order_len) {
+ wpa_printf(MSG_INFO,
+ "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
+ (unsigned int) payload_len,
+ (unsigned int) (2 * prime_len + order_len));
+ goto fin;
+ }
+
if (((data->peer_scalar = BN_new()) == NULL) ||
((data->k = BN_new()) == NULL) ||
((cofactor = BN_new()) == NULL) ||
@@ -774,6 +786,13 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,
u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
int offset;
+ if (payload_len != SHA256_MAC_LEN) {
+ wpa_printf(MSG_INFO,
+ "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
+ (unsigned int) payload_len, SHA256_MAC_LEN);
+ goto fin;
+ }
+
/* build up the ciphersuite: group | random_function | prf */
grp = htons(data->group_num);
ptr = (u8 *) &cs;
--
1.9.1
View Git Blame Copy Permalink