diff options
Diffstat (limited to 'source/n/wpa_supplicant/patches/rh1497640-pae-validate-input-before-pointer.patch')
| -rw-r--r-- | source/n/wpa_supplicant/patches/rh1497640-pae-validate-input-before-pointer.patch | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/source/n/wpa_supplicant/patches/rh1497640-pae-validate-input-before-pointer.patch b/source/n/wpa_supplicant/patches/rh1497640-pae-validate-input-before-pointer.patch new file mode 100644 index 00000000..d99be04c --- /dev/null +++ b/source/n/wpa_supplicant/patches/rh1497640-pae-validate-input-before-pointer.patch @@ -0,0 +1,78 @@ +From 0ad5893a2f1f521d44712cd395e067ccf0a397c3 Mon Sep 17 00:00:00 2001 +From: Michael Braun <michael-dev@fami-braun.de> +Date: Fri, 18 Aug 2017 01:14:28 +0200 +Subject: PAE: Validate input before pointer + +ieee802_1x_kay_decode_mkpdu() calls ieee802_1x_mka_i_in_peerlist() +before body_len has been checked on all segments. + +ieee802_1x_kay_decode_mkpdu() and ieee802_1x_mka_i_in_peerlist() might +continue and thus underflow left_len even if it finds left_len to small +(or before checking). + +Additionally, ieee802_1x_mka_dump_peer_body() might perform out of bound +reads in this case. + +Fix this by checking left_len and aborting if too small early. + +Signed-off-by: Michael Braun <michael-dev@fami-braun.de> +--- + src/pae/ieee802_1x_kay.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c +index c4bfcbc..cad0292 100644 +--- a/src/pae/ieee802_1x_kay.c ++++ b/src/pae/ieee802_1x_kay.c +@@ -964,21 +964,19 @@ ieee802_1x_mka_i_in_peerlist(struct ieee802_1x_mka_participant *participant, + body_len = get_mka_param_body_len(hdr); + body_type = get_mka_param_body_type(hdr); + +- if (body_type != MKA_LIVE_PEER_LIST && +- body_type != MKA_POTENTIAL_PEER_LIST) +- continue; +- +- ieee802_1x_mka_dump_peer_body( +- (struct ieee802_1x_mka_peer_body *)pos); +- +- if (left_len < (MKA_HDR_LEN + body_len + DEFAULT_ICV_LEN)) { ++ if (left_len < (MKA_HDR_LEN + MKA_ALIGN_LENGTH(body_len) + DEFAULT_ICV_LEN)) { + wpa_printf(MSG_ERROR, + "KaY: MKA Peer Packet Body Length (%zu bytes) is less than the Parameter Set Header Length (%zu bytes) + the Parameter Set Body Length (%zu bytes) + %d bytes of ICV", + left_len, MKA_HDR_LEN, +- body_len, DEFAULT_ICV_LEN); +- continue; ++ MKA_ALIGN_LENGTH(body_len), ++ DEFAULT_ICV_LEN); ++ return FALSE; + } + ++ if (body_type != MKA_LIVE_PEER_LIST && ++ body_type != MKA_POTENTIAL_PEER_LIST) ++ continue; ++ + if ((body_len % 16) != 0) { + wpa_printf(MSG_ERROR, + "KaY: MKA Peer Packet Body Length (%zu bytes) should be a multiple of 16 octets", +@@ -986,6 +984,9 @@ ieee802_1x_mka_i_in_peerlist(struct ieee802_1x_mka_participant *participant, + continue; + } + ++ ieee802_1x_mka_dump_peer_body( ++ (struct ieee802_1x_mka_peer_body *)pos); ++ + for (i = 0; i < body_len; + i += sizeof(struct ieee802_1x_mka_peer_id)) { + const struct ieee802_1x_mka_peer_id *peer_mi; +@@ -3018,7 +3019,7 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay, + "KaY: MKA Peer Packet Body Length (%zu bytes) is less than the Parameter Set Header Length (%zu bytes) + the Parameter Set Body Length (%zu bytes) + %d bytes of ICV", + left_len, MKA_HDR_LEN, + body_len, DEFAULT_ICV_LEN); +- continue; ++ return -1; + } + + if (handled[body_type]) +-- +cgit v0.12 + |