aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--main/hostapd/0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch54
-rw-r--r--main/hostapd/0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch51
-rw-r--r--main/hostapd/APKBUILD10
3 files changed, 114 insertions, 1 deletions
diff --git a/main/hostapd/0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch b/main/hostapd/0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch
new file mode 100644
index 0000000000..82c26398b6
--- /dev/null
+++ b/main/hostapd/0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch
@@ -0,0 +1,54 @@
+From 8057821706784608b828e769ccefbced95591e50 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 1 Nov 2015 18:18:17 +0200
+Subject: [PATCH] EAP-pwd peer: Fix last fragment length validation
+
+All but the last fragment had their length checked against the remaining
+room in the reassembly buffer. This allowed a suitably constructed last
+fragment frame to try to add extra data that would go beyond the buffer.
+The length validation code in wpabuf_put_data() prevents an actual
+buffer write overflow from occurring, but this results in process
+termination. (CVE-2015-5315)
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_peer/eap_pwd.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
+index 1f78544..75ceef1 100644
+--- a/src/eap_peer/eap_pwd.c
++++ b/src/eap_peer/eap_pwd.c
+@@ -903,7 +903,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
+ /*
+ * buffer and ACK the fragment
+ */
+- if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
++ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
+ data->in_frag_pos += len;
+ if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
+ wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
+@@ -916,7 +916,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
+ return NULL;
+ }
+ wpabuf_put_data(data->inbuf, pos, len);
+-
++ }
++ if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
+ resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
+ EAP_PWD_HDR_SIZE,
+ EAP_CODE_RESPONSE, eap_get_id(reqData));
+@@ -930,10 +931,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
+ * we're buffering and this is the last fragment
+ */
+ if (data->in_frag_pos) {
+- wpabuf_put_data(data->inbuf, pos, len);
+ wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
+ (int) len);
+- data->in_frag_pos += len;
+ pos = wpabuf_head_u8(data->inbuf);
+ len = data->in_frag_pos;
+ }
+--
+1.9.1
+
diff --git a/main/hostapd/0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch b/main/hostapd/0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch
new file mode 100644
index 0000000000..bfc4c74e95
--- /dev/null
+++ b/main/hostapd/0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch
@@ -0,0 +1,51 @@
+From bef802ece03f9ae9d52a21f0cf4f1bc2c5a1f8aa Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 1 Nov 2015 18:24:16 +0200
+Subject: [PATCH] EAP-pwd server: Fix last fragment length validation
+
+All but the last fragment had their length checked against the remaining
+room in the reassembly buffer. This allowed a suitably constructed last
+fragment frame to try to add extra data that would go beyond the buffer.
+The length validation code in wpabuf_put_data() prevents an actual
+buffer write overflow from occurring, but this results in process
+termination. (CVE-2015-5314)
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_server/eap_server_pwd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
+index cb83ff7..9f787ab 100644
+--- a/src/eap_server/eap_server_pwd.c
++++ b/src/eap_server/eap_server_pwd.c
+@@ -970,7 +970,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
+ /*
+ * the first and all intermediate fragments have the M bit set
+ */
+- if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
++ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
+ if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
+ wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
+ "attack detected! (%d+%d > %d)",
+@@ -981,6 +981,8 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
+ }
+ wpabuf_put_data(data->inbuf, pos, len);
+ data->in_frag_pos += len;
++ }
++ if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
+ wpa_printf(MSG_DEBUG, "EAP-pwd: Got a %d byte fragment",
+ (int) len);
+ return;
+@@ -990,8 +992,6 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
+ * buffering fragments so that's how we know it's the last)
+ */
+ if (data->in_frag_pos) {
+- wpabuf_put_data(data->inbuf, pos, len);
+- data->in_frag_pos += len;
+ pos = wpabuf_head_u8(data->inbuf);
+ len = data->in_frag_pos;
+ wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
+--
+1.9.1
+
diff --git a/main/hostapd/APKBUILD b/main/hostapd/APKBUILD
index c2474c8d25..92ec8ec9e3 100644
--- a/main/hostapd/APKBUILD
+++ b/main/hostapd/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=hostapd
pkgver=2.5
-pkgrel=0
+pkgrel=1
pkgdesc="daemon for wireless software access points"
url="http://hostap.epitest.fi/hostapd/"
arch="all"
@@ -13,6 +13,8 @@ subpackages="$pkgname-doc"
patches="
musl-fix-types.patch
CVE-2012-4445.patch
+ 0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch
+ 0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch
"
@@ -87,15 +89,21 @@ package() {
md5sums="69f9cec3f76d74f402864a43e4f8624f hostapd-2.5.tar.gz
7568486221987c93041b4877eced7317 musl-fix-types.patch
0d01d4641e0c33f79c1f4372613655bf CVE-2012-4445.patch
+ae911963ddb5426e4daeb080901f971d 0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch
+0bafbab0d6dbd17172b92e4e52a745a7 0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch
29b561d4ee34dc22a8a0ae0bf1db5c45 hostapd.initd
c91382209042defa04e79d0ae841a29e hostapd.confd"
sha256sums="8e272d954dc0d7026c264b79b15389ec2b2c555b32970de39f506b9f463ec74a hostapd-2.5.tar.gz
f296013d432740478f24de7214d07ff897e6e38cbfd01a73a3158014f94fd771 musl-fix-types.patch
06dc7df2159fb0604191f66d35164caa5927963eebe77b5f2c389bd7590e2a49 CVE-2012-4445.patch
+1ac039b13d88ff78ade418182cbef6e6c13f4ca9624fd4b3ce623b0442b43769 0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch
+4b6503e7ad4e049cb9566af7c220c451f65e35794962e239e908a1460c38a626 0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch
cae79127d088c047c1460d5b63eb67da1a830eb725a8c95e50070e516ad02800 hostapd.initd
6c14e88b14bb9a93d2dca69239d829f435e93180e621319aeed0f3987290dfba hostapd.confd"
sha512sums="bbb0547c29f4925aff8639cae3291ed020c2a9d989dd267be831b2418880916d2ec69003e36ecc796c348476086397cca8f63c52633f91c11a9c2ab72e1c83c0 hostapd-2.5.tar.gz
6ccdca29bc3a6b87d6e3f581c4f4725f0684bb88f39d46f875e9bdb0c41ee5b8be3b7908084c6631bffddece82cb2f2222e159d842944b6f2b7b639ef2de609c musl-fix-types.patch
619acce84516dead1e03e5da71657ea4c4b6f3ca8271574409773aeb316cbddc88095b50320804f457f001f4f3fe83053e660c008d8409f59bb4d3bfe058b601 CVE-2012-4445.patch
+c1a222b75cfbec77a88d83adfb2dbf93c040b5e3541e225aa218de1a8a11ed129946852247252fe993a0a6e8229293312a63b30824cd45ca7e81fb02d2df376f 0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch
+e29a0a3c88041c9a9d11801d311543c6c056b09d39798170e76cadeb407a3209d28f699a25cf58cc3484a60c420b2f5405cac56b1d03f8e7910469cb03971c28 0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch
b54b7c6aa17e5cb86a9b354a516eb2dbefb544df18471339c61d82776de447011a2ac290bea1e6c8beae4b6cebefafb8174683ea42fb773e9e8fe6c679f33ba3 hostapd.initd
0882263bbd7c0b05bf51f51d66e11a23a0b8ca7da2a3b8a30166d2c5f044c0c134e6bccb1d02c9e81819ca8fb0c0fb55c7121a08fe7233ccaa73ff8ab9a238fe hostapd.confd"
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-07 23:55:42 +0000