diff --git a/rh1241907-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch b/rh1241907-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch new file mode 100644 index 0000000..c792cb6 --- /dev/null +++ b/rh1241907-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch @@ -0,0 +1,63 @@ +From df9079e72760ceb7ebe7fb11538200c516bdd886 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Tue, 7 Jul 2015 21:57:28 +0300 +Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser + +It was possible for the 32-bit record->total_length value to end up +wrapping around due to integer overflow if the longer form of payload +length field is used and record->payload_length gets a value close to +2^32. This could result in ndef_parse_record() accepting a too large +payload length value and the record type filter reading up to about 20 +bytes beyond the end of the buffer and potentially killing the process. +This could also result in an attempt to allocate close to 2^32 bytes of +heap memory and if that were to succeed, a buffer read overflow of the +same length which would most likely result in the process termination. +In case of record->total_length ending up getting the value 0, there +would be no buffer read overflow, but record parsing would result in an +infinite loop in ndef_parse_records(). + +Any of these error cases could potentially be used for denial of service +attacks over NFC by using a malformed NDEF record on an NFC Tag or +sending them during NFC connection handover if the application providing +the NDEF message to hostapd/wpa_supplicant did no validation of the +received records. While such validation is likely done in the NFC stack +that needs to parse the NFC messages before further processing, +hostapd/wpa_supplicant better be prepared for any data being included +here. + +Fix this by validating record->payload_length value in a way that +detects integer overflow. (CID 122668) + +Signed-off-by: Jouni Malinen +--- + src/wps/ndef.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +(Adapted for 2.4 sources in Fedora. -- JWL) + +diff --git a/src/wps/ndef.c b/src/wps/ndef.c +index 5604b0a..50d018f 100644 +--- a/src/wps/ndef.c ++++ b/src/wps/ndef.c +@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size, + if (size < 6) + return -1; + record->payload_length = ntohl(*(u32 *)pos); ++ if (record->payload_length > size - 6) ++ return -1; + pos += sizeof(u32); + } + +@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size, + pos += record->payload_length; + + record->total_length = pos - data; +- if (record->total_length > size) ++ if (record->total_length > size || ++ record->total_length < record->payload_length) + return -1; + return 0; + } +-- +1.9.1 + diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec index c41e18f..18f1aff 100644 --- a/wpa_supplicant.spec +++ b/wpa_supplicant.spec @@ -7,7 +7,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant Name: wpa_supplicant Epoch: 1 Version: 2.4 -Release: 3%{?dist} +Release: 4%{?dist} License: BSD Group: System Environment/Base Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz @@ -41,6 +41,9 @@ Patch9: 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch # Fix a crash - rh #1231973 # http://w1.fi/cgit/hostap/commit/wpa_supplicant/dbus/dbus_new_handlers.c?id=8a78e227df1ead19be8e12a4108e448887e64d6f Patch10: rh1231973-dbus-fix-operations-for-p2p-mgmt.patch +# Fix a security issue - rh #rh1241907 +# http://w1.fi/security/2015-5/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch +Patch11: rh1241907-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch URL: http://w1.fi/wpa_supplicant/ @@ -93,6 +96,7 @@ Graphical User Interface for wpa_supplicant written using QT %patch8 -p1 -b .rh837402-less-aggressive-roaming %patch9 -p1 -b .cve-2015-1863 %patch10 -p1 -b .rh1231973-dbus-fix-operations-for-p2p-mgmt +%patch11 -p1 -b .rh1241907-ndef-length %build pushd wpa_supplicant @@ -207,6 +211,9 @@ fi %endif %changelog +* Wed Jul 15 2015 Jiří Klimeš - 1:2.4-4 +- Fix for NDEF record payload length checking (rh #1241907) + * Tue Jun 16 2015 Jiří Klimeš - 1:2.4-3 - Fix a crash if P2P management interface is used (rh #1231973)