01/01: gnu: wpa-supplicant: Fix WPS and P2P NFC NDEF record payload leng

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: wpa-supplicant: Fix WPS and P2P NFC NDEF record payload leng

From:	Mark H. Weaver
Subject:	01/01: gnu: wpa-supplicant: Fix WPS and P2P NFC NDEF record payload length validation.
Date:	Wed, 08 Jul 2015 22:27:46 +0000

mhw pushed a commit to branch master
in repository guix.

commit 9fb00f383dd7df97adf8bc603eeaa7be4e901bbd
Author: Mark H Weaver <address@hidden>
Date:   Wed Jul 8 18:18:40 2015 -0400

    gnu: wpa-supplicant: Fix WPS and P2P NFC NDEF record payload length 
validation.
    
    * gnu/packages/patches/wpa-supplicant-2015-5-fix.patch: New file.
    * gnu-system.am (dist_patch_DATA): Add it.
    * gnu/packages/admin.scm (wpa-supplicant-light)[source]: Add patch.
---
 gnu-system.am                                      |    1 +
 gnu/packages/admin.scm                             |    3 +-
 .../patches/wpa-supplicant-2015-5-fix.patch        |   64 ++++++++++++++++++++
 3 files changed, 67 insertions(+), 1 deletions(-)

diff --git a/gnu-system.am b/gnu-system.am
index 59090b5..7158821 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -651,6 +651,7 @@ dist_patch_DATA =                                           
\
   gnu/packages/patches/wpa-supplicant-2015-4-fix-pt3.patch     \
   gnu/packages/patches/wpa-supplicant-2015-4-fix-pt4.patch     \
   gnu/packages/patches/wpa-supplicant-2015-4-fix-pt5.patch     \
+  gnu/packages/patches/wpa-supplicant-2015-5-fix.patch         \
   gnu/packages/patches/xf86-video-ark-remove-mibstore.patch    \
   gnu/packages/patches/xf86-video-ast-remove-mibstore.patch    \
   gnu/packages/patches/xf86-video-geode-glibc-2.20.patch       \
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 58f9ce5..c96e116 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -705,7 +705,8 @@ commands and their arguments.")
                                    "wpa-supplicant-2015-4-fix-pt2.patch"
                                    "wpa-supplicant-2015-4-fix-pt3.patch"
                                    "wpa-supplicant-2015-4-fix-pt4.patch"
-                                   "wpa-supplicant-2015-4-fix-pt5.patch")))))
+                                   "wpa-supplicant-2015-4-fix-pt5.patch"
+                                   "wpa-supplicant-2015-5-fix.patch")))))
     (build-system gnu-build-system)
     (arguments
      '(#:phases (alist-replace
diff --git a/gnu/packages/patches/wpa-supplicant-2015-5-fix.patch 
b/gnu/packages/patches/wpa-supplicant-2015-5-fix.patch
new file mode 100644
index 0000000..496c68f
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-2015-5-fix.patch
@@ -0,0 +1,64 @@
+Original patch copied from http://w1.fi/security/2015-5/
+and then backported to wpa-supplicant-2.4.
+
+From df9079e72760ceb7ebe7fb11538200c516bdd886 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <address@hidden>
+Date: Tue, 7 Jul 2015 21:57:28 +0300
+Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser
+
+It was possible for the 32-bit record->total_length value to end up
+wrapping around due to integer overflow if the longer form of payload
+length field is used and record->payload_length gets a value close to
+2^32. This could result in ndef_parse_record() accepting a too large
+payload length value and the record type filter reading up to about 20
+bytes beyond the end of the buffer and potentially killing the process.
+This could also result in an attempt to allocate close to 2^32 bytes of
+heap memory and if that were to succeed, a buffer read overflow of the
+same length which would most likely result in the process termination.
+In case of record->total_length ending up getting the value 0, there
+would be no buffer read overflow, but record parsing would result in an
+infinite loop in ndef_parse_records().
+
+Any of these error cases could potentially be used for denial of service
+attacks over NFC by using a malformed NDEF record on an NFC Tag or
+sending them during NFC connection handover if the application providing
+the NDEF message to hostapd/wpa_supplicant did no validation of the
+received records. While such validation is likely done in the NFC stack
+that needs to parse the NFC messages before further processing,
+hostapd/wpa_supplicant better be prepared for any data being included
+here.
+
+Fix this by validating record->payload_length value in a way that
+detects integer overflow. (CID 122668)
+
+Signed-off-by: Jouni Malinen <address@hidden>
+---
+ src/wps/ndef.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/wps/ndef.c b/src/wps/ndef.c
+index 5604b0a..50d018f 100644
+--- a/src/wps/ndef.c
++++ b/src/wps/ndef.c
+@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
+               if (size < 6)
+                       return -1;
+               record->payload_length = ntohl(*(u32 *)pos);
++              if (record->payload_length > size - 6)
++                      return -1;
+               pos += sizeof(u32);
+       }
+ 
+@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
+       pos += record->payload_length;
+ 
+       record->total_length = pos - data;
+-      if (record->total_length > size)
++      if (record->total_length > size ||
++          record->total_length < record->payload_length)
+               return -1;
+       return 0;
+ }
+-- 
+1.9.1
+

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (16de69c -> 9fb00f3), Mark H. Weaver, 2015/07/08
- 01/01: gnu: wpa-supplicant: Fix WPS and P2P NFC NDEF record payload length validation., Mark H. Weaver <=

Prev by Date: branch master updated (16de69c -> 9fb00f3)
Next by Date: branch master updated (9fb00f3 -> 7b21252)
Previous by thread: branch master updated (16de69c -> 9fb00f3)
Next by thread: branch master updated (9fb00f3 -> 7b21252)
Index(es):
- Date
- Thread