Received: by mail.netbsd.org (Postfix, from userid 605) id EB75D14A273; Mon, 11 May 2015 04:51:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 0B86914A265 for ; Mon, 11 May 2015 04:51:53 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id mHvS6Ol-gfcH for ; Mon, 11 May 2015 04:51:51 +0000 (UTC) Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id 9525814A262 for ; Mon, 11 May 2015 04:51:51 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id 80B5698; Mon, 11 May 2015 04:51:51 +0000 (UTC) Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Date: Mon, 11 May 2015 04:51:51 +0000 From: "SAITOH Masanobu" Subject: CVS commit: [netbsd-7] src/external/bsd/wpa/dist/src To: source-changes@NetBSD.org X-Mailer: log_accum Message-Id: <20150511045151.80B5698@cvs.netbsd.org> Sender: source-changes-owner@NetBSD.org List-Id: source-changes.NetBSD.org Precedence: bulk Reply-To: source-changes-d@NetBSD.org Mail-Reply-To: "SAITOH Masanobu" Mail-Followup-To: source-changes-d@NetBSD.org Module Name: src Committed By: msaitoh Date: Mon May 11 04:51:51 UTC 2015 Modified Files: src/external/bsd/wpa/dist/src/ap [netbsd-7]: wmm.c src/external/bsd/wpa/dist/src/eap_peer [netbsd-7]: eap_pwd.c src/external/bsd/wpa/dist/src/eap_server [netbsd-7]: eap_server_pwd.c src/external/bsd/wpa/dist/src/wps [netbsd-7]: httpread.c Log Message: Pull up following revision(s) (requested by christos in ticket #749): external/bsd/wpa/dist/src/ap/wmm.c: revision 1.2 external/bsd/wpa/dist/src/wps/httpread.c: revision 1.2 external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c: revision 1.2-1.3 external/bsd/wpa/dist/src/eap_peer/eap_pwd.c: revision 1.2-1.4 - strtoul() return value may end up overflowing the int h->chunk_size and resulting in a negative value to be stored as the chunk_size. This could result in the following memcpy operation using a very large length argument which would result in a buffer overflow and segmentation fault. This could have been used to cause a denial service by any device that has been authorized for network access (either wireless or wired). This would affect both the WPS UPnP functionality in a WPS AP (hostapd with upnp_iface parameter set in the configuration) and WPS ER (wpa_supplicant with WPS_ER_START control interface command used). Validate the parsed chunk length value to avoid this. In addition to rejecting negative values, we can also reject chunk size that would be larger than the maximum configured body length. Thanks to Kostya Kortchinsky of Google security team for discovering and reporting this issue. - The length of the WMM Action frame was not properly validated and the length of the information elements (int left) could end up being negative. This would result in reading significantly past the stack buffer while parsing the IEs in ieee802_11_parse_elems() and while doing so, resulting in segmentation fault. This can result in an invalid frame being used for a denial of service attack (hostapd process killed) against an AP with a driver that uses hostapd for management frame processing (e.g., all mac80211-based drivers). Thanks to Kostya Kortchinsky of Google security team for discovering and reporting this issue. - The length of the received Commit and Confirm message payloads was not checked before reading them. This could result in a buffer read overflow when processing an invalid message. Fix this by verifying that the payload is of expected length before processing it. In addition, enforce correct state transition sequence to make sure there is no unexpected behavior if receiving a Commit/Confirm message before the previous exchanges have been completed. Thanks to Kostya Kortchinsky of Google security team for discovering and reporting this issue. - The remaining number of bytes in the message could be smaller than the Total-Length field size, so the length needs to be explicitly checked prior to reading the field and decrementing the len variable. This could have resulted in the remaining length becoming negative and interpreted as a huge positive integer. In addition, check that there is no already started fragment in progress before allocating a new buffer for reassembling fragments. This avoid a potential memory leak when processing invalid message. - The L (Length) and M (More) flags needs to be cleared before deciding whether the locally generated response requires fragmentation. This fixes an issue where these flags from the server could have been invalid for the following message. In some cases, this could have resulted in triggering the wpabuf security check that would terminate the process due to invalid buffer allocation. To generate a diff of this commit: cvs rdiff -u -r1.1.1.3.4.1 -r1.1.1.3.4.2 \ src/external/bsd/wpa/dist/src/ap/wmm.c cvs rdiff -u -r1.1.1.2.4.1 -r1.1.1.2.4.2 \ src/external/bsd/wpa/dist/src/eap_peer/eap_pwd.c cvs rdiff -u -r1.1.1.2.4.1 -r1.1.1.2.4.2 \ src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c cvs rdiff -u -r1.1.1.2.4.1 -r1.1.1.2.4.2 \ src/external/bsd/wpa/dist/src/wps/httpread.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.