Update to version 2.5 from upstream

- Remove patches made redundant by version update
This commit is contained in:
John W. Linville 2015-10-13 16:45:22 -04:00
parent c803bbc7b5
commit 5b487d679b
6 changed files with 8 additions and 163 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
/hostapd-2.4.tar.gz
/hostapd-2.5.tar.gz

View File

@ -1,41 +0,0 @@
From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Wed, 29 Apr 2015 02:21:53 +0300
Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.
This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/ap/wmm.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/ap/wmm.c b/src/ap/wmm.c
index 6d4177c..314e244 100644
--- a/src/ap/wmm.c
+++ b/src/ap/wmm.c
@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd,
return;
}
+ if (left < 0)
+ return; /* not a valid WMM Action frame */
+
/* extract the tspec info element */
if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
--
1.9.1

View File

@ -1,48 +0,0 @@
From 586c446e0ff42ae00315b014924ec669023bd8de Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 7 Oct 2012 20:06:29 +0300
Subject: [PATCH] EAP-TLS server: Fix TLS Message Length validation
EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
Message Length value properly and could end up trying to store more
information into the message buffer than the allocated size if the first
fragment is longer than the indicated size. This could result in hostapd
process terminating in wpabuf length validation. Fix this by rejecting
messages that have invalid TLS Message Length value.
This would affect cases that use the internal EAP authentication server
in hostapd either directly with IEEE 802.1X or when using hostapd as a
RADIUS authentication server and when receiving an incorrectly
constructed EAP-TLS message. Cases where hostapd uses an external
authentication are not affected.
Thanks to Timo Warns for finding and reporting this issue.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
---
src/eap_server/eap_server_tls_common.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
index 31be2ec..46f282b 100644
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@@ -261,6 +261,14 @@
return -1;
}
+ if (len > message_length) {
+ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
+ "first fragment of frame (TLS Message "
+ "Length %d bytes)",
+ (int) len, (int) message_length);
+ return -1;
+ }
+
data->tls_in = wpabuf_alloc(message_length);
if (data->tls_in == NULL) {
wpa_printf(MSG_DEBUG, "SSL: No memory for message");
--
1.7.11.4

View File

@ -1,59 +0,0 @@
From df9079e72760ceb7ebe7fb11538200c516bdd886 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Tue, 7 Jul 2015 21:57:28 +0300
Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser
It was possible for the 32-bit record->total_length value to end up
wrapping around due to integer overflow if the longer form of payload
length field is used and record->payload_length gets a value close to
2^32. This could result in ndef_parse_record() accepting a too large
payload length value and the record type filter reading up to about 20
bytes beyond the end of the buffer and potentially killing the process.
This could also result in an attempt to allocate close to 2^32 bytes of
heap memory and if that were to succeed, a buffer read overflow of the
same length which would most likely result in the process termination.
In case of record->total_length ending up getting the value 0, there
would be no buffer read overflow, but record parsing would result in an
infinite loop in ndef_parse_records().
Any of these error cases could potentially be used for denial of service
attacks over NFC by using a malformed NDEF record on an NFC Tag or
sending them during NFC connection handover if the application providing
the NDEF message to hostapd/wpa_supplicant did no validation of the
received records. While such validation is likely done in the NFC stack
that needs to parse the NFC messages before further processing,
hostapd/wpa_supplicant better be prepared for any data being included
here.
Fix this by validating record->payload_length value in a way that
detects integer overflow. (CID 122668)
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/wps/ndef.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
(Adapted for 2.4 sources in Fedora. -- JWL)
diff -up hostapd-2.4/src/wps/ndef.c.NDEF_payload hostapd-2.4/src/wps/ndef.c
--- hostapd-2.4/src/wps/ndef.c.NDEF_payload 2015-03-15 13:30:39.000000000 -0400
+++ hostapd-2.4/src/wps/ndef.c 2015-07-10 13:14:25.121359848 -0400
@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *d
if (size < 6)
return -1;
record->payload_length = ntohl(*(u32 *)pos);
+ if (record->payload_length > size - 6)
+ return -1;
pos += sizeof(u32);
}
@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *d
pos += record->payload_length;
record->total_length = pos - data;
- if (record->total_length > size)
+ if (record->total_length > size ||
+ record->total_length < record->payload_length)
return -1;
return 0;
}

View File

@ -1,8 +1,8 @@
%global _hardened_build 1
Name: hostapd
Version: 2.4
Release: 4%{?dist}
Version: 2.5
Release: 1%{?dist}
Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
License: BSD
URL: http://w1.fi/hostapd
@ -12,9 +12,6 @@ Source1: %{name}.service
Source2: %{name}.conf
Source3: %{name}.sysconfig
Source4: %{name}.init
Patch0: %{name}-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch
Patch1: %{name}-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
Patch2: %{name}-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
BuildRequires: libnl3-devel
BuildRequires: openssl-devel
@ -53,14 +50,6 @@ Logwatch scripts for hostapd.
%prep
%setup -q
# git://w1.fi/srv/git/hostap.git
# commit 586c446e0ff42ae00315b014924ec669023bd8de
%patch0 -p1 -b .message_length
# commit ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae
%patch1 -p1 -b .wmm_underflow
# commit df9079e72760ceb7ebe7fb11538200c516bdd886
%patch2 -p1 -b .ndef_length
%build
cd hostapd
cat defconfig | sed \
@ -178,6 +167,10 @@ fi
%{_sysconfdir}/logwatch/scripts/services/%{name}
%changelog
* Tue Oct 13 2015 John W. Linville <linville@redhat.com> - 2.5-1
- Update to version 2.5 from upstream
- Remove patches made redundant by version update
* Fri Jul 10 2015 John W. Linville <linville@redhat.com> - 2.4-3
- apply fix for NDEF record payload length checking

View File

@ -1 +1 @@
04578f3f2c3eb1bec1adf30473813912 hostapd-2.4.tar.gz
69f9cec3f76d74f402864a43e4f8624f hostapd-2.5.tar.gz