rpms/hostapd
6
0
Fork 0
Code Issues Pull Requests Releases Activity

EAP-TLS: Add extra validation for TLS Message Length

Browse Source
This commit is contained in:
John W. Linville 2012-10-08 13:41:39 -04:00
parent 438eb5ef36
commit 11cd48b17f
2 changed files with 57 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
hostapd-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch Normal file
View File

@ -0,0 +1,48 @@
From 586c446e0ff42ae00315b014924ec669023bd8de Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 7 Oct 2012 20:06:29 +0300
Subject: [PATCH] EAP-TLS server: Fix TLS Message Length validation
EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
Message Length value properly and could end up trying to store more
information into the message buffer than the allocated size if the first
fragment is longer than the indicated size. This could result in hostapd
process terminating in wpabuf length validation. Fix this by rejecting
messages that have invalid TLS Message Length value.
This would affect cases that use the internal EAP authentication server
in hostapd either directly with IEEE 802.1X or when using hostapd as a
RADIUS authentication server and when receiving an incorrectly
constructed EAP-TLS message. Cases where hostapd uses an external
authentication are not affected.
Thanks to Timo Warns for finding and reporting this issue.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
---
src/eap_server/eap_server_tls_common.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
index 31be2ec..46f282b 100644
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@@ -228,6 +228,14 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
return -1;
}
+ if (len > message_length) {
+ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
+ "first fragment of frame (TLS Message "
+ "Length %d bytes)",
+ (int) len, (int) message_length);
+ return -1;
+ }
+
data->tls_in = wpabuf_alloc(message_length);
if (data->tls_in == NULL) {
wpa_printf(MSG_DEBUG, "SSL: No memory for message");
--
1.7.11.4

10
hostapd.spec
View File

@ -1,6 +1,6 @@
Name: hostapd Name: hostapd
Version: 1.0 Version: 1.0
Release: 2%{?dist} Release: 3%{?dist}
Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
Group: System Environment/Daemons Group: System Environment/Daemons
License: BSD License: BSD
@ -11,6 +11,7 @@ Source1: %{name}.service
Source2: %{name}.conf Source2: %{name}.conf
Source3: %{name}.sysconfig Source3: %{name}.sysconfig
Patch0: hostapd-RPM_OPT_FLAGS.patch Patch0: hostapd-RPM_OPT_FLAGS.patch
Patch1: hostapd-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch
BuildRequires: libnl-devel >= 1.1 BuildRequires: libnl-devel >= 1.1
BuildRequires: openssl-devel BuildRequires: openssl-devel
@ -47,6 +48,10 @@ Logwatch scripts for hostapd
# Hack Makefile to allow use of RPM_OPT_FLAGS # Hack Makefile to allow use of RPM_OPT_FLAGS
%patch0 -p1 %patch0 -p1
# git://w1.fi/srv/git/hostap.git
# commit 586c446e0ff42ae00315b014924ec669023bd8de
%patch1 -p1
# Prepare default config file # Prepare default config file
cat %{SOURCE2} | sed -e 's/HOSTAPD_VERSION/'%{version}'/' > hostapd.conf cat %{SOURCE2} | sed -e 's/HOSTAPD_VERSION/'%{version}'/' > hostapd.conf
@ -163,6 +168,9 @@ fi
%changelog %changelog
* Mon Oct 8 2012 John W. Linville <linville@redhat.com> - 1.0-3
- EAP-TLS: Add extra validation for TLS Message Length
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0-2 * Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild