diff options
| author | Mark H Weaver <mhw@netris.org> | 2015-05-11 12:46:31 -0400 |
|---|---|---|
| committer | Mark H Weaver <mhw@netris.org> | 2015-05-11 12:51:47 -0400 |
| commit | d48c8e7b6070a63dc12ead0bb9ea47b790e237f0 (patch) | |
| tree | addb863d86c362a9287f9277bdc65d79620ab306 /gnu/packages/patches/wpa-supplicant-2015-3-fix.patch | |
| parent | 1ec78e9d71d7c38c5739c90d3927e227bce23caa (diff) | |
gnu: wpa-supplicant: Add security fixes.
* gnu/packages/patches/wpa-supplicant-2015-2-fix.patch,
gnu/packages/patches/wpa-supplicant-2015-3-fix.patch,
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt1.patch,
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt2.patch,
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt3.patch,
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt4.patch,
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt5.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/admin.scm (wpa-supplicant-light)[source]: Add patches.
Diffstat (limited to 'gnu/packages/patches/wpa-supplicant-2015-3-fix.patch')
| -rw-r--r-- | gnu/packages/patches/wpa-supplicant-2015-3-fix.patch | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/gnu/packages/patches/wpa-supplicant-2015-3-fix.patch b/gnu/packages/patches/wpa-supplicant-2015-3-fix.patch new file mode 100644 index 0000000000..de042f0c49 --- /dev/null +++ b/gnu/packages/patches/wpa-supplicant-2015-3-fix.patch @@ -0,0 +1,43 @@ +Patch copied from http://w1.fi/security/2015-3/ + +From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Wed, 29 Apr 2015 02:21:53 +0300 +Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser + +The length of the WMM Action frame was not properly validated and the +length of the information elements (int left) could end up being +negative. This would result in reading significantly past the stack +buffer while parsing the IEs in ieee802_11_parse_elems() and while doing +so, resulting in segmentation fault. + +This can result in an invalid frame being used for a denial of service +attack (hostapd process killed) against an AP with a driver that uses +hostapd for management frame processing (e.g., all mac80211-based +drivers). + +Thanks to Kostya Kortchinsky of Google security team for discovering and +reporting this issue. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/ap/wmm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/ap/wmm.c b/src/ap/wmm.c +index 6d4177c..314e244 100644 +--- a/src/ap/wmm.c ++++ b/src/ap/wmm.c +@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd, + return; + } + ++ if (left < 0) ++ return; /* not a valid WMM Action frame */ ++ + /* extract the tspec info element */ + if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) { + hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, +-- +1.9.1 + |