Update to version 2.5 from upstream
- Remove patches made redundant by version update
This commit is contained in:
parent
c803bbc7b5
commit
5b487d679b
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
/hostapd-2.4.tar.gz
|
||||
/hostapd-2.5.tar.gz
|
||||
|
@ -1,41 +0,0 @@
|
||||
From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <j@w1.fi>
|
||||
Date: Wed, 29 Apr 2015 02:21:53 +0300
|
||||
Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
|
||||
|
||||
The length of the WMM Action frame was not properly validated and the
|
||||
length of the information elements (int left) could end up being
|
||||
negative. This would result in reading significantly past the stack
|
||||
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
|
||||
so, resulting in segmentation fault.
|
||||
|
||||
This can result in an invalid frame being used for a denial of service
|
||||
attack (hostapd process killed) against an AP with a driver that uses
|
||||
hostapd for management frame processing (e.g., all mac80211-based
|
||||
drivers).
|
||||
|
||||
Thanks to Kostya Kortchinsky of Google security team for discovering and
|
||||
reporting this issue.
|
||||
|
||||
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||
---
|
||||
src/ap/wmm.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/ap/wmm.c b/src/ap/wmm.c
|
||||
index 6d4177c..314e244 100644
|
||||
--- a/src/ap/wmm.c
|
||||
+++ b/src/ap/wmm.c
|
||||
@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd,
|
||||
return;
|
||||
}
|
||||
|
||||
+ if (left < 0)
|
||||
+ return; /* not a valid WMM Action frame */
|
||||
+
|
||||
/* extract the tspec info element */
|
||||
if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
|
||||
hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
|
||||
--
|
||||
1.9.1
|
||||
|
@ -1,48 +0,0 @@
|
||||
From 586c446e0ff42ae00315b014924ec669023bd8de Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <j@w1.fi>
|
||||
Date: Sun, 7 Oct 2012 20:06:29 +0300
|
||||
Subject: [PATCH] EAP-TLS server: Fix TLS Message Length validation
|
||||
|
||||
EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
|
||||
Message Length value properly and could end up trying to store more
|
||||
information into the message buffer than the allocated size if the first
|
||||
fragment is longer than the indicated size. This could result in hostapd
|
||||
process terminating in wpabuf length validation. Fix this by rejecting
|
||||
messages that have invalid TLS Message Length value.
|
||||
|
||||
This would affect cases that use the internal EAP authentication server
|
||||
in hostapd either directly with IEEE 802.1X or when using hostapd as a
|
||||
RADIUS authentication server and when receiving an incorrectly
|
||||
constructed EAP-TLS message. Cases where hostapd uses an external
|
||||
authentication are not affected.
|
||||
|
||||
Thanks to Timo Warns for finding and reporting this issue.
|
||||
|
||||
Signed-hostap: Jouni Malinen <j@w1.fi>
|
||||
intended-for: hostap-1
|
||||
---
|
||||
src/eap_server/eap_server_tls_common.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
|
||||
index 31be2ec..46f282b 100644
|
||||
--- a/src/eap_server/eap_server_tls_common.c
|
||||
+++ b/src/eap_server/eap_server_tls_common.c
|
||||
@@ -261,6 +261,14 @@
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ if (len > message_length) {
|
||||
+ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
|
||||
+ "first fragment of frame (TLS Message "
|
||||
+ "Length %d bytes)",
|
||||
+ (int) len, (int) message_length);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
data->tls_in = wpabuf_alloc(message_length);
|
||||
if (data->tls_in == NULL) {
|
||||
wpa_printf(MSG_DEBUG, "SSL: No memory for message");
|
||||
--
|
||||
1.7.11.4
|
||||
|
@ -1,59 +0,0 @@
|
||||
From df9079e72760ceb7ebe7fb11538200c516bdd886 Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <j@w1.fi>
|
||||
Date: Tue, 7 Jul 2015 21:57:28 +0300
|
||||
Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser
|
||||
|
||||
It was possible for the 32-bit record->total_length value to end up
|
||||
wrapping around due to integer overflow if the longer form of payload
|
||||
length field is used and record->payload_length gets a value close to
|
||||
2^32. This could result in ndef_parse_record() accepting a too large
|
||||
payload length value and the record type filter reading up to about 20
|
||||
bytes beyond the end of the buffer and potentially killing the process.
|
||||
This could also result in an attempt to allocate close to 2^32 bytes of
|
||||
heap memory and if that were to succeed, a buffer read overflow of the
|
||||
same length which would most likely result in the process termination.
|
||||
In case of record->total_length ending up getting the value 0, there
|
||||
would be no buffer read overflow, but record parsing would result in an
|
||||
infinite loop in ndef_parse_records().
|
||||
|
||||
Any of these error cases could potentially be used for denial of service
|
||||
attacks over NFC by using a malformed NDEF record on an NFC Tag or
|
||||
sending them during NFC connection handover if the application providing
|
||||
the NDEF message to hostapd/wpa_supplicant did no validation of the
|
||||
received records. While such validation is likely done in the NFC stack
|
||||
that needs to parse the NFC messages before further processing,
|
||||
hostapd/wpa_supplicant better be prepared for any data being included
|
||||
here.
|
||||
|
||||
Fix this by validating record->payload_length value in a way that
|
||||
detects integer overflow. (CID 122668)
|
||||
|
||||
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||
---
|
||||
src/wps/ndef.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
(Adapted for 2.4 sources in Fedora. -- JWL)
|
||||
|
||||
diff -up hostapd-2.4/src/wps/ndef.c.NDEF_payload hostapd-2.4/src/wps/ndef.c
|
||||
--- hostapd-2.4/src/wps/ndef.c.NDEF_payload 2015-03-15 13:30:39.000000000 -0400
|
||||
+++ hostapd-2.4/src/wps/ndef.c 2015-07-10 13:14:25.121359848 -0400
|
||||
@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *d
|
||||
if (size < 6)
|
||||
return -1;
|
||||
record->payload_length = ntohl(*(u32 *)pos);
|
||||
+ if (record->payload_length > size - 6)
|
||||
+ return -1;
|
||||
pos += sizeof(u32);
|
||||
}
|
||||
|
||||
@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *d
|
||||
pos += record->payload_length;
|
||||
|
||||
record->total_length = pos - data;
|
||||
- if (record->total_length > size)
|
||||
+ if (record->total_length > size ||
|
||||
+ record->total_length < record->payload_length)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
19
hostapd.spec
19
hostapd.spec
@ -1,8 +1,8 @@
|
||||
%global _hardened_build 1
|
||||
|
||||
Name: hostapd
|
||||
Version: 2.4
|
||||
Release: 4%{?dist}
|
||||
Version: 2.5
|
||||
Release: 1%{?dist}
|
||||
Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
|
||||
License: BSD
|
||||
URL: http://w1.fi/hostapd
|
||||
@ -12,9 +12,6 @@ Source1: %{name}.service
|
||||
Source2: %{name}.conf
|
||||
Source3: %{name}.sysconfig
|
||||
Source4: %{name}.init
|
||||
Patch0: %{name}-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch
|
||||
Patch1: %{name}-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
|
||||
Patch2: %{name}-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
|
||||
|
||||
BuildRequires: libnl3-devel
|
||||
BuildRequires: openssl-devel
|
||||
@ -53,14 +50,6 @@ Logwatch scripts for hostapd.
|
||||
%prep
|
||||
%setup -q
|
||||
|
||||
# git://w1.fi/srv/git/hostap.git
|
||||
# commit 586c446e0ff42ae00315b014924ec669023bd8de
|
||||
%patch0 -p1 -b .message_length
|
||||
# commit ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae
|
||||
%patch1 -p1 -b .wmm_underflow
|
||||
# commit df9079e72760ceb7ebe7fb11538200c516bdd886
|
||||
%patch2 -p1 -b .ndef_length
|
||||
|
||||
%build
|
||||
cd hostapd
|
||||
cat defconfig | sed \
|
||||
@ -178,6 +167,10 @@ fi
|
||||
%{_sysconfdir}/logwatch/scripts/services/%{name}
|
||||
|
||||
%changelog
|
||||
* Tue Oct 13 2015 John W. Linville <linville@redhat.com> - 2.5-1
|
||||
- Update to version 2.5 from upstream
|
||||
- Remove patches made redundant by version update
|
||||
|
||||
* Fri Jul 10 2015 John W. Linville <linville@redhat.com> - 2.4-3
|
||||
- apply fix for NDEF record payload length checking
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user