summaryrefslogtreecommitdiffstats
path: root/source/n/wpa_supplicant/patches/rh1497640-pae-validate-input-before-pointer.patch
diff options
context:
space:
mode:
Diffstat (limited to 'source/n/wpa_supplicant/patches/rh1497640-pae-validate-input-before-pointer.patch')
-rw-r--r--source/n/wpa_supplicant/patches/rh1497640-pae-validate-input-before-pointer.patch78
1 files changed, 0 insertions, 78 deletions
diff --git a/source/n/wpa_supplicant/patches/rh1497640-pae-validate-input-before-pointer.patch b/source/n/wpa_supplicant/patches/rh1497640-pae-validate-input-before-pointer.patch
deleted file mode 100644
index d99be04c3..000000000
--- a/source/n/wpa_supplicant/patches/rh1497640-pae-validate-input-before-pointer.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 0ad5893a2f1f521d44712cd395e067ccf0a397c3 Mon Sep 17 00:00:00 2001
-From: Michael Braun <michael-dev@fami-braun.de>
-Date: Fri, 18 Aug 2017 01:14:28 +0200
-Subject: PAE: Validate input before pointer
-
-ieee802_1x_kay_decode_mkpdu() calls ieee802_1x_mka_i_in_peerlist()
-before body_len has been checked on all segments.
-
-ieee802_1x_kay_decode_mkpdu() and ieee802_1x_mka_i_in_peerlist() might
-continue and thus underflow left_len even if it finds left_len to small
-(or before checking).
-
-Additionally, ieee802_1x_mka_dump_peer_body() might perform out of bound
-reads in this case.
-
-Fix this by checking left_len and aborting if too small early.
-
-Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
----
- src/pae/ieee802_1x_kay.c | 23 ++++++++++++-----------
- 1 file changed, 12 insertions(+), 11 deletions(-)
-
-diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
-index c4bfcbc..cad0292 100644
---- a/src/pae/ieee802_1x_kay.c
-+++ b/src/pae/ieee802_1x_kay.c
-@@ -964,21 +964,19 @@ ieee802_1x_mka_i_in_peerlist(struct ieee802_1x_mka_participant *participant,
- body_len = get_mka_param_body_len(hdr);
- body_type = get_mka_param_body_type(hdr);
-
-- if (body_type != MKA_LIVE_PEER_LIST &&
-- body_type != MKA_POTENTIAL_PEER_LIST)
-- continue;
--
-- ieee802_1x_mka_dump_peer_body(
-- (struct ieee802_1x_mka_peer_body *)pos);
--
-- if (left_len < (MKA_HDR_LEN + body_len + DEFAULT_ICV_LEN)) {
-+ if (left_len < (MKA_HDR_LEN + MKA_ALIGN_LENGTH(body_len) + DEFAULT_ICV_LEN)) {
- wpa_printf(MSG_ERROR,
- "KaY: MKA Peer Packet Body Length (%zu bytes) is less than the Parameter Set Header Length (%zu bytes) + the Parameter Set Body Length (%zu bytes) + %d bytes of ICV",
- left_len, MKA_HDR_LEN,
-- body_len, DEFAULT_ICV_LEN);
-- continue;
-+ MKA_ALIGN_LENGTH(body_len),
-+ DEFAULT_ICV_LEN);
-+ return FALSE;
- }
-
-+ if (body_type != MKA_LIVE_PEER_LIST &&
-+ body_type != MKA_POTENTIAL_PEER_LIST)
-+ continue;
-+
- if ((body_len % 16) != 0) {
- wpa_printf(MSG_ERROR,
- "KaY: MKA Peer Packet Body Length (%zu bytes) should be a multiple of 16 octets",
-@@ -986,6 +984,9 @@ ieee802_1x_mka_i_in_peerlist(struct ieee802_1x_mka_participant *participant,
- continue;
- }
-
-+ ieee802_1x_mka_dump_peer_body(
-+ (struct ieee802_1x_mka_peer_body *)pos);
-+
- for (i = 0; i < body_len;
- i += sizeof(struct ieee802_1x_mka_peer_id)) {
- const struct ieee802_1x_mka_peer_id *peer_mi;
-@@ -3018,7 +3019,7 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
- "KaY: MKA Peer Packet Body Length (%zu bytes) is less than the Parameter Set Header Length (%zu bytes) + the Parameter Set Body Length (%zu bytes) + %d bytes of ICV",
- left_len, MKA_HDR_LEN,
- body_len, DEFAULT_ICV_LEN);
-- continue;
-+ return -1;
- }
-
- if (handled[body_type])
---
-cgit v0.12
-