1 |
zerochaos 15/04/27 18:26:39 |
2 |
|
3 |
Added: wpa_supplicant-2.4-cve-2015-1863.patch |
4 |
Log: |
5 |
add patch for bug #547492 while not loading arch teams working on bug #524928 |
6 |
|
7 |
(Portage version: 2.2.18/cvs/Linux x86_64, RepoMan options: --force, signed Manifest commit with key DD11F94A) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-cve-2015-1863.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-cve-2015-1863.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-cve-2015-1863.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: wpa_supplicant-2.4-cve-2015-1863.patch |
16 |
=================================================================== |
17 |
From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001 |
18 |
From: Jouni Malinen <jouni@××××××××××××.com> |
19 |
Date: Tue, 07 Apr 2015 08:32:11 +0000 |
20 |
Subject: P2P: Validate SSID element length before copying it (CVE-2015-1863) |
21 |
|
22 |
This fixes a possible memcpy overflow for P2P dev->oper_ssid in |
23 |
p2p_add_device(). The length provided by the peer device (0..255 bytes) |
24 |
was used without proper bounds checking and that could have resulted in |
25 |
arbitrary data of up to 223 bytes being written beyond the end of the |
26 |
dev->oper_ssid[] array (of which about 150 bytes would be beyond the |
27 |
heap allocation) when processing a corrupted management frame for P2P |
28 |
peer discovery purposes. |
29 |
|
30 |
This could result in corrupted state in heap, unexpected program |
31 |
behavior due to corrupted P2P peer device information, denial of service |
32 |
due to process crash, exposure of memory contents during GO Negotiation, |
33 |
and potentially arbitrary code execution. |
34 |
|
35 |
Thanks to Google security team for reporting this issue and smart |
36 |
hardware research group of Alibaba security team for discovering it. |
37 |
|
38 |
Signed-off-by: Jouni Malinen <jouni@××××××××××××.com> |
39 |
--- |
40 |
diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c |
41 |
index f584fae..a45fe73 100644 |
42 |
--- a/src/p2p/p2p.c |
43 |
+++ b/src/p2p/p2p.c |
44 |
@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq, |
45 |
if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0) |
46 |
os_memcpy(dev->interface_addr, addr, ETH_ALEN); |
47 |
if (msg.ssid && |
48 |
+ msg.ssid[1] <= sizeof(dev->oper_ssid) && |
49 |
(msg.ssid[1] != P2P_WILDCARD_SSID_LEN || |
50 |
os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN) |
51 |
!= 0)) { |
52 |
-- |
53 |
cgit v0.9.2 |