import wpa_supplicant-2.9-5.el8

This commit is contained in:
CentOS Sources 2021-10-06 13:02:23 -04:00 committed by Stepan Oksanichenko
parent 84485bbc93
commit 9659c49696
3 changed files with 98 additions and 1 deletions

View File

@ -0,0 +1,50 @@
From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Tue, 8 Dec 2020 23:52:50 +0200
Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
p2p_add_device() may remove the oldest entry if there is no room in the
peer table for a new peer. This would result in any pointer to that
removed entry becoming stale. A corner case with an invalid PD Request
frame could result in such a case ending up using (read+write) freed
memory. This could only by triggered when the peer table has reached its
maximum size and the PD Request frame is received from the P2P Device
Address of the oldest remaining entry and the frame has incorrect P2P
Device Address in the payload.
Fix this by fetching the dev pointer again after having called
p2p_add_device() so that the stale pointer cannot be used.
Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/p2p/p2p_pd.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
index 3994ec03f86b..05fd593494ef 100644
--- a/src/p2p/p2p_pd.c
+++ b/src/p2p/p2p_pd.c
@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
goto out;
}
+ dev = p2p_get_device(p2p, sa);
if (!dev) {
- dev = p2p_get_device(p2p, sa);
- if (!dev) {
- p2p_dbg(p2p,
- "Provision Discovery device not found "
- MACSTR, MAC2STR(sa));
- goto out;
- }
+ p2p_dbg(p2p,
+ "Provision Discovery device not found "
+ MACSTR, MAC2STR(sa));
+ goto out;
}
} else if (msg.wfd_subelems) {
wpabuf_free(dev->info.wfd_subelems);
--
2.25.1

View File

@ -0,0 +1,39 @@
From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
Message-Id: <947272febe24a8f0ea828b5b2f35f13c3821901e.1612435525.git.davide.caratti@gmail.com>
From: Jouni Malinen <jouni@codeaurora.org>
Date: Mon, 9 Nov 2020 11:43:12 +0200
Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
client
Parsing and copying of WPS secondary device types list was verifying
that the contents is not too long for the internal maximum in the case
of WPS messages, but similar validation was missing from the case of P2P
group information which encodes this information in a different
attribute. This could result in writing beyond the memory area assigned
for these entries and corrupting memory within an instance of struct
p2p_device. This could result in invalid operations and unexpected
behavior when trying to free pointers from that corrupted memory.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/p2p/p2p.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index 74b7b52ae..5cbfc217f 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
dev->info.config_methods = cli->config_methods;
os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
dev->info.wps_sec_dev_type_list_len);
}
--
2.29.2

View File

@ -7,7 +7,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
Name: wpa_supplicant
Epoch: 1
Version: 2.9
Release: 4%{?dist}
Release: 5%{?dist}
License: BSD
Group: System Environment/Base
Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
@ -40,6 +40,10 @@ Patch9: wpa_supplicant-P2P-Always-use-global-p2p_long_listen.patch
Patch10: wpa_supplicant-D-Bus-Allow-changing-an-interface-bridge-via-D-Bus.patch
# fix for bz1888718
Patch11: wpa_supplicant-dbus-Export-OWE-capability-and-OWE-BSS-key_mgmt.patch
# fix for CVE-2021-0326
Patch12: wpa_supplicant-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch
# fix for CVE-2021-27803
Patch13: wpa_supplicant-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch
URL: http://w1.fi/wpa_supplicant/
@ -183,6 +187,10 @@ chmod -R 0644 %{name}/examples/*.py
%endif
%changelog
* Mon Mar 1 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-5
- P2P: Fix a corner case in peer addition based on PD Request (CVE-2021-27803)
- Fix buffer overflow when processing P2P group information (CVE-2021-0326)
* Fri Jan 15 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-4
- enable WPA-EAP-SUITE-B-192 (rh #1916394)