summary refs log tree commit diff
path: root/gnu/packages/patches/wpa-supplicant-2015-3-fix.patch
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-05-11 12:46:31 -0400
committerMark H Weaver <mhw@netris.org>2015-05-11 12:51:47 -0400
commitd48c8e7b6070a63dc12ead0bb9ea47b790e237f0 (patch)
treeaddb863d86c362a9287f9277bdc65d79620ab306 /gnu/packages/patches/wpa-supplicant-2015-3-fix.patch
parent1ec78e9d71d7c38c5739c90d3927e227bce23caa (diff)
downloadguix-d48c8e7b6070a63dc12ead0bb9ea47b790e237f0.tar.gz
gnu: wpa-supplicant: Add security fixes.
* gnu/packages/patches/wpa-supplicant-2015-2-fix.patch,
  gnu/packages/patches/wpa-supplicant-2015-3-fix.patch,
  gnu/packages/patches/wpa-supplicant-2015-4-fix-pt1.patch,
  gnu/packages/patches/wpa-supplicant-2015-4-fix-pt2.patch,
  gnu/packages/patches/wpa-supplicant-2015-4-fix-pt3.patch,
  gnu/packages/patches/wpa-supplicant-2015-4-fix-pt4.patch,
  gnu/packages/patches/wpa-supplicant-2015-4-fix-pt5.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/admin.scm (wpa-supplicant-light)[source]: Add patches.
Diffstat (limited to 'gnu/packages/patches/wpa-supplicant-2015-3-fix.patch')
-rw-r--r--gnu/packages/patches/wpa-supplicant-2015-3-fix.patch43
1 files changed, 43 insertions, 0 deletions
diff --git a/gnu/packages/patches/wpa-supplicant-2015-3-fix.patch b/gnu/packages/patches/wpa-supplicant-2015-3-fix.patch
new file mode 100644
index 0000000000..de042f0c49
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-2015-3-fix.patch
@@ -0,0 +1,43 @@
+Patch copied from http://w1.fi/security/2015-3/
+
+From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Wed, 29 Apr 2015 02:21:53 +0300
+Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
+
+The length of the WMM Action frame was not properly validated and the
+length of the information elements (int left) could end up being
+negative. This would result in reading significantly past the stack
+buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
+so, resulting in segmentation fault.
+
+This can result in an invalid frame being used for a denial of service
+attack (hostapd process killed) against an AP with a driver that uses
+hostapd for management frame processing (e.g., all mac80211-based
+drivers).
+
+Thanks to Kostya Kortchinsky of Google security team for discovering and
+reporting this issue.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/wmm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/ap/wmm.c b/src/ap/wmm.c
+index 6d4177c..314e244 100644
+--- a/src/ap/wmm.c
++++ b/src/ap/wmm.c
+@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd,
+ 		return;
+ 	}
+ 
++	if (left < 0)
++		return; /* not a valid WMM Action frame */
++
+ 	/* extract the tspec info element */
+ 	if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
+ 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
+-- 
+1.9.1
+