rpms/wpa_supplicant
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to version 2.5

Browse Source
This commit is contained in:
Lubomir Rintel 2015-10-27 09:08:51 +01:00
parent 4b1dcdcfa7
commit dd5ca60f4a
6 changed files with 40 additions and 257 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -16,3 +16,4 @@ wpa_supplicant-0.6.8.tar.gz
/wpa_supplicant-2.0.tar.gz
/wpa_supplicant-2.3.tar.gz
/wpa_supplicant-2.4.tar.gz
/wpa_supplicant-2.5.tar.gz

42
0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
View File

@ -1,42 +0,0 @@
From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Tue, 7 Apr 2015 11:32:11 +0300
Subject: [PATCH] P2P: Validate SSID element length before copying it
(CVE-2015-1863)
This fixes a possible memcpy overflow for P2P dev->oper_ssid in
p2p_add_device(). The length provided by the peer device (0..255 bytes)
was used without proper bounds checking and that could have resulted in
arbitrary data of up to 223 bytes being written beyond the end of the
dev->oper_ssid[] array (of which about 150 bytes would be beyond the
heap allocation) when processing a corrupted management frame for P2P
peer discovery purposes.
This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to process crash, exposure of memory contents during GO Negotiation,
and potentially arbitrary code execution.
Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
src/p2p/p2p.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index f584fae..a45fe73 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq,
if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)
os_memcpy(dev->interface_addr, addr, ETH_ALEN);
if (msg.ssid &&
+ msg.ssid[1] <= sizeof(dev->oper_ssid) &&
(msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
!= 0)) {
--
2.3.5

195
rh1231973-dbus-fix-operations-for-p2p-mgmt.patch
View File

@ -1,195 +0,0 @@
From 8a78e227df1ead19be8e12a4108e448887e64d6f Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Wed, 29 Apr 2015 10:13:34 +0000
Subject: D-Bus: Fix operations when P2P management interface is used
Commit 21efc940f6e7f07b84b7e5c5867f3d81594c4fb0 ('wpa_supplicant: Do not
register a P2P management interface on DBus') hides the special P2P
management interface from D-Bus. However, it did not take into account
the possibility of wpa_s->dbus_path and wpa_s->dbus_new_path being NULL
in such cases on number of code paths within the D-Bus handlers. This
could result in invalid arguments (NULL path) being provided to D-Bus
functions (mainly, dbus_message_iter_append_basic) and NULL pointer
dereference when iterating over all interfaces. Either of these could
make wpa_supplicant process terminate.
Fix this by explicitly checking that the interface-specific D-Bus path
has been registered before using it anywhere with D-Bus handlers. In
addition, find the correct wpa_s instance to fix P2P operations through
D-Bus when the P2P Device interface is used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
(limited to 'wpa_supplicant/dbus/dbus_new_handlers.c')
diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c
index d695d1b..3f5fd0a 100644
--- a/wpa_supplicant/dbus/dbus_new_handlers.c
+++ b/wpa_supplicant/dbus/dbus_new_handlers.c
@@ -157,7 +157,8 @@ static struct wpa_supplicant * get_iface_by_dbus_path(
struct wpa_supplicant *wpa_s;
for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next) {
- if (os_strcmp(wpa_s->dbus_new_path, path) == 0)
+ if (wpa_s->dbus_new_path &&
+ os_strcmp(wpa_s->dbus_new_path, path) == 0)
return wpa_s;
}
return NULL;
@@ -600,7 +601,7 @@ DBusMessage * wpas_dbus_handler_create_interface(DBusMessage *message,
iface.bridge_ifname = bridge_ifname;
/* Otherwise, have wpa_supplicant attach to it. */
wpa_s = wpa_supplicant_add_iface(global, &iface, NULL);
- if (wpa_s) {
+ if (wpa_s && wpa_s->dbus_new_path) {
const char *path = wpa_s->dbus_new_path;
reply = dbus_message_new_method_return(message);
@@ -684,7 +685,7 @@ DBusMessage * wpas_dbus_handler_get_interface(DBusMessage *message,
DBUS_TYPE_INVALID);
wpa_s = wpa_supplicant_get_iface(global, ifname);
- if (wpa_s == NULL)
+ if (wpa_s == NULL || wpa_s->dbus_new_path == NULL)
return wpas_dbus_error_iface_unknown(message);
path = wpa_s->dbus_new_path;
@@ -876,8 +877,10 @@ dbus_bool_t wpas_dbus_getter_interfaces(DBusMessageIter *iter,
unsigned int i = 0, num = 0;
dbus_bool_t success;
- for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next)
- num++;
+ for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next) {
+ if (wpa_s->dbus_new_path)
+ num++;
+ }
paths = os_calloc(num, sizeof(char *));
if (!paths) {
@@ -885,8 +888,10 @@ dbus_bool_t wpas_dbus_getter_interfaces(DBusMessageIter *iter,
return FALSE;
}
- for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next)
- paths[i++] = wpa_s->dbus_new_path;
+ for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next) {
+ if (wpa_s->dbus_new_path)
+ paths[i++] = wpa_s->dbus_new_path;
+ }
success = wpas_dbus_simple_array_property_getter(iter,
DBUS_TYPE_OBJECT_PATH,
@@ -1478,7 +1483,8 @@ DBusMessage * wpas_dbus_handler_add_network(DBusMessage *message,
dbus_message_iter_init(message, &iter);
- ssid = wpa_config_add_network(wpa_s->conf);
+ if (wpa_s->dbus_new_path)
+ ssid = wpa_config_add_network(wpa_s->conf);
if (ssid == NULL) {
wpa_printf(MSG_ERROR, "%s[dbus]: can't add new interface.",
__func__);
@@ -1602,7 +1608,7 @@ DBusMessage * wpas_dbus_handler_remove_network(DBusMessage *message,
iface = wpas_dbus_new_decompose_object_path(op,
WPAS_DBUS_NEW_NETWORKS_PART,
&net_id);
- if (iface == NULL || net_id == NULL ||
+ if (iface == NULL || net_id == NULL || !wpa_s->dbus_new_path ||
os_strcmp(iface, wpa_s->dbus_new_path) != 0) {
reply = wpas_dbus_error_invalid_args(message, op);
goto out;
@@ -1715,7 +1721,7 @@ DBusMessage * wpas_dbus_handler_select_network(DBusMessage *message,
iface = wpas_dbus_new_decompose_object_path(op,
WPAS_DBUS_NEW_NETWORKS_PART,
&net_id);
- if (iface == NULL || net_id == NULL ||
+ if (iface == NULL || net_id == NULL || !wpa_s->dbus_new_path ||
os_strcmp(iface, wpa_s->dbus_new_path) != 0) {
reply = wpas_dbus_error_invalid_args(message, op);
goto out;
@@ -1773,7 +1779,7 @@ DBusMessage * wpas_dbus_handler_network_reply(DBusMessage *message,
iface = wpas_dbus_new_decompose_object_path(op,
WPAS_DBUS_NEW_NETWORKS_PART,
&net_id);
- if (iface == NULL || net_id == NULL ||
+ if (iface == NULL || net_id == NULL || !wpa_s->dbus_new_path ||
os_strcmp(iface, wpa_s->dbus_new_path) != 0) {
reply = wpas_dbus_error_invalid_args(message, op);
goto out;
@@ -2266,12 +2272,14 @@ DBusMessage * wpas_dbus_handler_set_pkcs11_engine_and_module_path(
message, DBUS_ERROR_FAILED,
"Reinit of the EAPOL state machine with the new PKCS #11 engine and module path failed.");
- wpa_dbus_mark_property_changed(
- wpa_s->global->dbus, wpa_s->dbus_new_path,
- WPAS_DBUS_NEW_IFACE_INTERFACE, "PKCS11EnginePath");
- wpa_dbus_mark_property_changed(
- wpa_s->global->dbus, wpa_s->dbus_new_path,
- WPAS_DBUS_NEW_IFACE_INTERFACE, "PKCS11ModulePath");
+ if (wpa_s->dbus_new_path) {
+ wpa_dbus_mark_property_changed(
+ wpa_s->global->dbus, wpa_s->dbus_new_path,
+ WPAS_DBUS_NEW_IFACE_INTERFACE, "PKCS11EnginePath");
+ wpa_dbus_mark_property_changed(
+ wpa_s->global->dbus, wpa_s->dbus_new_path,
+ WPAS_DBUS_NEW_IFACE_INTERFACE, "PKCS11ModulePath");
+ }
return NULL;
}
@@ -3024,7 +3032,7 @@ dbus_bool_t wpas_dbus_getter_current_bss(DBusMessageIter *iter,
struct wpa_supplicant *wpa_s = user_data;
char path_buf[WPAS_DBUS_OBJECT_PATH_MAX], *bss_obj_path = path_buf;
- if (wpa_s->current_bss)
+ if (wpa_s->current_bss && wpa_s->dbus_new_path)
os_snprintf(bss_obj_path, WPAS_DBUS_OBJECT_PATH_MAX,
"%s/" WPAS_DBUS_NEW_BSSIDS_PART "/%u",
wpa_s->dbus_new_path, wpa_s->current_bss->id);
@@ -3052,7 +3060,7 @@ dbus_bool_t wpas_dbus_getter_current_network(DBusMessageIter *iter,
struct wpa_supplicant *wpa_s = user_data;
char path_buf[WPAS_DBUS_OBJECT_PATH_MAX], *net_obj_path = path_buf;
- if (wpa_s->current_ssid)
+ if (wpa_s->current_ssid && wpa_s->dbus_new_path)
os_snprintf(net_obj_path, WPAS_DBUS_OBJECT_PATH_MAX,
"%s/" WPAS_DBUS_NEW_NETWORKS_PART "/%u",
wpa_s->dbus_new_path, wpa_s->current_ssid->id);
@@ -3140,6 +3148,12 @@ dbus_bool_t wpas_dbus_getter_bsss(DBusMessageIter *iter, DBusError *error,
unsigned int i = 0;
dbus_bool_t success = FALSE;
+ if (!wpa_s->dbus_new_path) {
+ dbus_set_error(error, DBUS_ERROR_FAILED,
+ "%s: no D-Bus interface", __func__);
+ return FALSE;
+ }
+
paths = os_calloc(wpa_s->num_bss, sizeof(char *));
if (!paths) {
dbus_set_error_const(error, DBUS_ERROR_NO_MEMORY, "no memory");
@@ -3191,6 +3205,12 @@ dbus_bool_t wpas_dbus_getter_networks(DBusMessageIter *iter, DBusError *error,
unsigned int i = 0, num = 0;
dbus_bool_t success = FALSE;
+ if (!wpa_s->dbus_new_path) {
+ dbus_set_error(error, DBUS_ERROR_FAILED,
+ "%s: no D-Bus interface", __func__);
+ return FALSE;
+ }
+
for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next)
if (!network_is_persistent_group(ssid))
num++;
@@ -4104,7 +4124,7 @@ void wpas_dbus_signal_preq(struct wpa_supplicant *wpa_s,
struct wpas_dbus_priv *priv = wpa_s->global->dbus;
/* Do nothing if the control interface is not turned on */
- if (priv == NULL)
+ if (priv == NULL || !wpa_s->dbus_new_path)
return;
if (wpa_s->preq_notify_peer == NULL)
--
cgit v0.9.2

2
sources
View File

@ -1 +1 @@
f0037dbe03897dcaf2ad2722e659095d wpa_supplicant-2.4.tar.gz
96ff75c3a514f1f324560a2376f13110 wpa_supplicant-2.5.tar.gz

39
wpa_supplicant-gui-qt4.patch
View File

@ -1,16 +1,41 @@
diff -up wpa_supplicant-0.7.3/wpa_supplicant/Makefile.qt4 wpa_supplicant-0.7.3/wpa_supplicant/Makefile
--- wpa_supplicant-0.7.3/wpa_supplicant/Makefile.qt4 2010-09-07 10:43:39.000000000 -0500
+++ wpa_supplicant-0.7.3/wpa_supplicant/Makefile 2010-12-08 10:07:44.152664004 -0600
@@ -1352,10 +1352,10 @@ wpa_gui: wpa_gui/Makefile
From 9404f356e394604d1d3d6dbffc52abd54260e4d4 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Tue, 27 Oct 2015 08:56:35 +0100
Subject: [PATCH] wpa_supplicant: allow overriding the names of the Qt4 tools
This is useful for distributions that ship different versions of Qt in
different locations.
---
wpa_supplicant/Makefile | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index ad9ead9..b19676d 100644
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -11,6 +11,9 @@ export INCDIR ?= /usr/local/include/
export BINDIR ?= /usr/local/sbin/
PKG_CONFIG ?= pkg-config
+QMAKE ?= qmake
+LRELEASE ?= lrelease
+
CFLAGS += $(EXTRA_CFLAGS)
CFLAGS += -I$(abspath ../src)
CFLAGS += -I$(abspath ../src/utils)
@@ -1787,10 +1790,10 @@ wpa_gui:
@echo "wpa_gui has been removed - see wpa_gui-qt4 for replacement"
wpa_gui-qt4/Makefile:
- qmake -o wpa_gui-qt4/Makefile wpa_gui-qt4/wpa_gui.pro
+ qmake-qt4 -o wpa_gui-qt4/Makefile wpa_gui-qt4/wpa_gui.pro
- qmake -o wpa_gui-qt4/Makefile wpa_gui-qt4/wpa_gui.pro
+ $(QMAKE) -o wpa_gui-qt4/Makefile wpa_gui-qt4/wpa_gui.pro
wpa_gui-qt4/lang/wpa_gui_de.qm: wpa_gui-qt4/lang/wpa_gui_de.ts
- lrelease wpa_gui-qt4/wpa_gui.pro
+ lrelease-qt4 wpa_gui-qt4/wpa_gui.pro
+ $(LRELEASE) wpa_gui-qt4/wpa_gui.pro
wpa_gui-qt4: wpa_gui-qt4/Makefile wpa_gui-qt4/lang/wpa_gui_de.qm
$(MAKE) -C wpa_gui-qt4
--
2.6.2

18
wpa_supplicant.spec
View File

@ -6,8 +6,8 @@
Summary: WPA/WPA2/IEEE 802.1X Supplicant
Name: wpa_supplicant
Epoch: 1
Version: 2.4
Release: 6%{?dist}
Version: 2.5
Release: 1%{?dist}
License: BSD
Group: System Environment/Base
Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
@ -35,12 +35,6 @@ Patch6: wpa_supplicant-gui-qt4.patch
# dcbw states (2015-04):
# "upstream doesn't like that patch so it's been discussed and I think rejected"
Patch8: rh837402-less-aggressive-roaming.patch
# CVE-2015-1863, backport from upstream master, will be in 2.5
# http://w1.fi/cgit/hostap/commit/?id=9ed4eee345f85e3025c33c6e20aa25696e341ccd
Patch9: 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
# Fix a crash - rh #1231973
# http://w1.fi/cgit/hostap/commit/wpa_supplicant/dbus/dbus_new_handlers.c?id=8a78e227df1ead19be8e12a4108e448887e64d6f
Patch10: rh1231973-dbus-fix-operations-for-p2p-mgmt.patch
# Fix a security issue - rh #rh1241907
# http://w1.fi/security/2015-5/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
Patch11: rh1241907-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
@ -97,9 +91,6 @@ Graphical User Interface for wpa_supplicant written using QT
%patch3 -p1 -b .quiet-scan-results-msg
%patch6 -p1 -b .qt4
%patch8 -p1 -b .rh837402-less-aggressive-roaming
%patch9 -p1 -b .cve-2015-1863
%patch10 -p1 -b .rh1231973-dbus-fix-operations-for-p2p-mgmt
%patch11 -p1 -b .rh1241907-ndef-length
%patch12 -p1 -b .dbus-policy
%build
@ -113,7 +104,7 @@ pushd wpa_supplicant
LIBDIR="%{_libdir}" ; export LIBDIR ;
make %{_smp_mflags}
%if %{build_gui}
QTDIR=%{_libdir}/qt4 make wpa_gui-qt4 %{_smp_mflags}
QTDIR=%{_libdir}/qt4 make wpa_gui-qt4 %{_smp_mflags} QMAKE='%{qmake_qt4}' LRELEASE='%{_qt4_bindir}/lrelease'
%endif
make eapol_test
popd
@ -216,6 +207,9 @@ fi
%endif
%changelog
* Tue Oct 27 2015 Lubomir Rintel <lkundrak@v3.sk> - 1:2.5-1
- Update to version 2.5
* Fri Oct 23 2015 Lubomir Rintel <lkundrak@v3.sk> - 1:2.4-6
- Fix the D-Bus policy