| 1 |
zerochaos 15/04/27 18:26:39 |
| 2 |
|
| 3 |
Added: wpa_supplicant-2.4-cve-2015-1863.patch |
| 4 |
Log: |
| 5 |
add patch for bug #547492 while not loading arch teams working on bug #524928 |
| 6 |
|
| 7 |
(Portage version: 2.2.18/cvs/Linux x86_64, RepoMan options: --force, signed Manifest commit with key DD11F94A) |
| 8 |
|
| 9 |
Revision Changes Path |
| 10 |
1.1 net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-cve-2015-1863.patch |
| 11 |
|
| 12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-cve-2015-1863.patch?rev=1.1&view=markup |
| 13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-cve-2015-1863.patch?rev=1.1&content-type=text/plain |
| 14 |
|
| 15 |
Index: wpa_supplicant-2.4-cve-2015-1863.patch |
| 16 |
=================================================================== |
| 17 |
From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001 |
| 18 |
From: Jouni Malinen <jouni@××××××××××××.com> |
| 19 |
Date: Tue, 07 Apr 2015 08:32:11 +0000 |
| 20 |
Subject: P2P: Validate SSID element length before copying it (CVE-2015-1863) |
| 21 |
|
| 22 |
This fixes a possible memcpy overflow for P2P dev->oper_ssid in |
| 23 |
p2p_add_device(). The length provided by the peer device (0..255 bytes) |
| 24 |
was used without proper bounds checking and that could have resulted in |
| 25 |
arbitrary data of up to 223 bytes being written beyond the end of the |
| 26 |
dev->oper_ssid[] array (of which about 150 bytes would be beyond the |
| 27 |
heap allocation) when processing a corrupted management frame for P2P |
| 28 |
peer discovery purposes. |
| 29 |
|
| 30 |
This could result in corrupted state in heap, unexpected program |
| 31 |
behavior due to corrupted P2P peer device information, denial of service |
| 32 |
due to process crash, exposure of memory contents during GO Negotiation, |
| 33 |
and potentially arbitrary code execution. |
| 34 |
|
| 35 |
Thanks to Google security team for reporting this issue and smart |
| 36 |
hardware research group of Alibaba security team for discovering it. |
| 37 |
|
| 38 |
Signed-off-by: Jouni Malinen <jouni@××××××××××××.com> |
| 39 |
--- |
| 40 |
diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c |
| 41 |
index f584fae..a45fe73 100644 |
| 42 |
--- a/src/p2p/p2p.c |
| 43 |
+++ b/src/p2p/p2p.c |
| 44 |
@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq, |
| 45 |
if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0) |
| 46 |
os_memcpy(dev->interface_addr, addr, ETH_ALEN); |
| 47 |
if (msg.ssid && |
| 48 |
+ msg.ssid[1] <= sizeof(dev->oper_ssid) && |
| 49 |
(msg.ssid[1] != P2P_WILDCARD_SSID_LEN || |
| 50 |
os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN) |
| 51 |
!= 0)) { |
| 52 |
-- |
| 53 |
cgit v0.9.2 |
Archives