apply fix for NDEF record payload length checking

hostapd-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch

@@ -0,0 +1,59 @@
+From df9079e72760ceb7ebe7fb11538200c516bdd886 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Tue, 7 Jul 2015 21:57:28 +0300
+Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser
+
+It was possible for the 32-bit record->total_length value to end up
+wrapping around due to integer overflow if the longer form of payload
+length field is used and record->payload_length gets a value close to
+2^32. This could result in ndef_parse_record() accepting a too large
+payload length value and the record type filter reading up to about 20
+bytes beyond the end of the buffer and potentially killing the process.
+This could also result in an attempt to allocate close to 2^32 bytes of
+heap memory and if that were to succeed, a buffer read overflow of the
+same length which would most likely result in the process termination.
+In case of record->total_length ending up getting the value 0, there
+would be no buffer read overflow, but record parsing would result in an
+infinite loop in ndef_parse_records().
+
+Any of these error cases could potentially be used for denial of service
+attacks over NFC by using a malformed NDEF record on an NFC Tag or
+sending them during NFC connection handover if the application providing
+the NDEF message to hostapd/wpa_supplicant did no validation of the
+received records. While such validation is likely done in the NFC stack
+that needs to parse the NFC messages before further processing,
+hostapd/wpa_supplicant better be prepared for any data being included
+here.
+
+Fix this by validating record->payload_length value in a way that
+detects integer overflow. (CID 122668)
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/wps/ndef.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+(Adapted for 2.4 sources in Fedora. -- JWL)
+
+diff -up hostapd-2.4/src/wps/ndef.c.NDEF_payload hostapd-2.4/src/wps/ndef.c
+--- hostapd-2.4/src/wps/ndef.c.NDEF_payload	2015-03-15 13:30:39.000000000 -0400
++++ hostapd-2.4/src/wps/ndef.c	2015-07-10 13:14:25.121359848 -0400
+@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *d
+ 		if (size < 6)
+ 			return -1;
+ 		record->payload_length = ntohl(*(u32 *)pos);
++		if (record->payload_length > size - 6)
++			return -1;
+ 		pos += sizeof(u32);
+ 	}
+ 
+@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *d
+ 	pos += record->payload_length;
+ 
+ 	record->total_length = pos - data;
+-	if (record->total_length > size)
++	if (record->total_length > size ||
++	    record->total_length < record->payload_length)
+ 		return -1;
+ 	return 0;
+ }

hostapd.spec

@@ -2,7 +2,7 @@
 
 Name:           hostapd
 Version:        2.4
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
 License:        BSD
 URL:            http://w1.fi/hostapd
@@ -14,6 +14,7 @@ Source3:        %{name}.sysconfig
 Source4:        %{name}.init
 Patch0:         %{name}-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch
 Patch1:         %{name}-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
+Patch2:         %{name}-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
 
 BuildRequires:  libnl3-devel
 BuildRequires:  openssl-devel
@@ -57,6 +58,8 @@ Logwatch scripts for hostapd.
 %patch0 -p1 -b .message_length
 # 	commit ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae
 %patch1 -p1 -b .wmm_underflow
+#       commit df9079e72760ceb7ebe7fb11538200c516bdd886
+%patch2 -p1 -b .ndef_length
 
 %build
 cd hostapd
@@ -175,6 +178,9 @@ fi
 %{_sysconfdir}/logwatch/scripts/services/%{name}
 
 %changelog
+* Fri Jul 10 2015 John W. Linville <linville@redhat.com> - 2.4-3
+- apply fix for NDEF record payload length checking
+
 * Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild