rpms/wpa_supplicant
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import wpa_supplicant-2.9-2.el8_3.1

Browse Source
This commit is contained in:
CentOS Sources 2021-03-11 02:10:46 -05:00 committed by Andrew Lukoshko
parent 1755e4dcde
commit 30ca4fa42b
2 changed files with 56 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
SOURCES/wpa_supplicant-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch Normal file
View File

@ -0,0 +1,50 @@
From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Tue, 8 Dec 2020 23:52:50 +0200
Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
p2p_add_device() may remove the oldest entry if there is no room in the
peer table for a new peer. This would result in any pointer to that
removed entry becoming stale. A corner case with an invalid PD Request
frame could result in such a case ending up using (read+write) freed
memory. This could only by triggered when the peer table has reached its
maximum size and the PD Request frame is received from the P2P Device
Address of the oldest remaining entry and the frame has incorrect P2P
Device Address in the payload.
Fix this by fetching the dev pointer again after having called
p2p_add_device() so that the stale pointer cannot be used.
Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/p2p/p2p_pd.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
index 3994ec03f86b..05fd593494ef 100644
--- a/src/p2p/p2p_pd.c
+++ b/src/p2p/p2p_pd.c
@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
goto out;
}
+ dev = p2p_get_device(p2p, sa);
if (!dev) {
- dev = p2p_get_device(p2p, sa);
- if (!dev) {
- p2p_dbg(p2p,
- "Provision Discovery device not found "
- MACSTR, MAC2STR(sa));
- goto out;
- }
+ p2p_dbg(p2p,
+ "Provision Discovery device not found "
+ MACSTR, MAC2STR(sa));
+ goto out;
}
} else if (msg.wfd_subelems) {
wpabuf_free(dev->info.wfd_subelems);
--
2.25.1

7
SPECS/wpa_supplicant.spec
View File

@ -7,7 +7,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
Name: wpa_supplicant Name: wpa_supplicant
Epoch: 1 Epoch: 1
Version: 2.9 Version: 2.9
Release: 2%{?dist} Release: 2%{?dist}.1
License: BSD License: BSD
Group: System Environment/Base Group: System Environment/Base
Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
@ -34,6 +34,8 @@ Patch6: wpa_supplicant-gui-qt4.patch
Patch7: wpa_supplicant-p2p-segfault-on-iface-removal.patch Patch7: wpa_supplicant-p2p-segfault-on-iface-removal.patch
# fix for CVE-2019-16275 # fix for CVE-2019-16275
Patch8: 0001-AP-Silently-ignore-management-frame-from-unexpected-.patch Patch8: 0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
# fix for CVE-2021-27803
Patch9: wpa_supplicant-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch
URL: http://w1.fi/wpa_supplicant/ URL: http://w1.fi/wpa_supplicant/
@ -177,6 +179,9 @@ chmod -R 0644 %{name}/examples/*.py
%endif %endif
%changelog %changelog
* Thu Mar 4 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-2.1
- P2P: Fix a corner case in peer addition based on PD Request (CVE-2021-27803)
* Tue Oct 29 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.9-2 * Tue Oct 29 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.9-2
- Fix AP mode PMF disconnection protection bypass (CVE-2019-16275) - Fix AP mode PMF disconnection protection bypass (CVE-2019-16275)
- Fix NULL dereference in d-bus handler when P2P control interface is removed (rh #1752780) - Fix NULL dereference in d-bus handler when P2P control interface is removed (rh #1752780)