wpa_supplicant/CVE-2019-9495-pre2.patch

diff -Nur orig-wpa_supplicant-2.6/src/eap_common/eap_pwd_common.c wpa_supplicant-2.6/src/eap_common/eap_pwd_common.c
--- orig-wpa_supplicant-2.6/src/eap_common/eap_pwd_common.c	2020-02-04 00:21:51.805643103 +0800
+++ wpa_supplicant-2.6/src/eap_common/eap_pwd_common.c	2020-02-04 00:30:16.612332185 +0800
@@ -80,6 +80,26 @@
 	return 0;
 }
 
+EAP_PWD_group * get_eap_pwd_group(u16 num)
+{
+        EAP_PWD_group *grp;
+
+        grp = os_zalloc(sizeof(EAP_PWD_group));
+        if (!grp)
+                return NULL;
+        grp->group = crypto_ec_init(num);
+        if (!grp->group) {
+                wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC group");
+                os_free(grp);
+                return NULL;
+        }
+
+        grp->group_num = num;
+        wpa_printf(MSG_INFO, "EAP-pwd: provisioned group %d", num);
+
+        return grp;
+}
++
 
 /*
  * compute a "random" secret point on an elliptic curve based
@@ -97,12 +117,8 @@
 	size_t primebytelen, primebitlen;
         struct crypto_bignum *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
 
-	grp->pwe = NULL;
-        grp->group = crypto_ec_init(num);
-        if (!grp->group) {
-                wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC group");
-		goto fail;
-	}
+        if (grp->pwe)
+                return -1;
 
         cofactor = crypto_bignum_init();
         grp->pwe = crypto_ec_point_init(grp->group);
@@ -234,11 +250,8 @@
 		break;
 	}
 	wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %d tries", ctr);
-	grp->group_num = num;
 	if (0) {
  fail:
-                crypto_ec_deinit(grp->group);
-		grp->group = NULL;
                 crypto_ec_point_deinit(grp->pwe, 1);
 		grp->pwe = NULL;
 		ret = 1;
diff -Nur orig-wpa_supplicant-2.6/src/eap_common/eap_pwd_common.h wpa_supplicant-2.6/src/eap_common/eap_pwd_common.h
--- orig-wpa_supplicant-2.6/src/eap_common/eap_pwd_common.h	2020-02-04 00:21:51.805643103 +0800
+++ wpa_supplicant-2.6/src/eap_common/eap_pwd_common.h	2020-02-04 00:31:51.873594123 +0800
@@ -50,6 +50,7 @@
 } STRUCT_PACKED;
 
 /* common routines */
+EAP_PWD_group * get_eap_pwd_group(u16 num);
 int compute_password_element(EAP_PWD_group *grp, u16 num,
 			     const u8 *password, size_t password_len,
 			     const u8 *id_server, size_t id_server_len,
diff -Nur orig-wpa_supplicant-2.6/src/eap_peer/eap_pwd.c wpa_supplicant-2.6/src/eap_peer/eap_pwd.c
--- orig-wpa_supplicant-2.6/src/eap_peer/eap_pwd.c	2020-02-04 00:21:51.805643103 +0800
+++ wpa_supplicant-2.6/src/eap_peer/eap_pwd.c	2020-02-04 00:33:35.694969340 +0800
@@ -267,7 +267,7 @@
 	wpa_hexdump_ascii(MSG_INFO, "EAP-PWD (peer): server sent id of",
 			  data->id_server, data->id_server_len);
 
-	data->grp = os_zalloc(sizeof(EAP_PWD_group));
+        data->grp = get_eap_pwd_group(data->group_num);
 	if (data->grp == NULL) {
 		wpa_printf(MSG_INFO, "EAP-PWD: failed to allocate memory for "
 			   "group");
diff -Nur orig-wpa_supplicant-2.6/src/eap_server/eap_server_pwd.c wpa_supplicant-2.6/src/eap_server/eap_server_pwd.c
--- orig-wpa_supplicant-2.6/src/eap_server/eap_server_pwd.c	2020-02-04 00:21:51.805643103 +0800
+++ wpa_supplicant-2.6/src/eap_server/eap_server_pwd.c	2020-02-04 00:34:34.975754518 +0800
@@ -561,7 +561,7 @@
 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-PWD (server): peer sent id of",
 			  data->id_peer, data->id_peer_len);
 
-	data->grp = os_zalloc(sizeof(EAP_PWD_group));
+        data->grp = get_eap_pwd_group(data->group_num);
 	if (data->grp == NULL) {
 		wpa_printf(MSG_INFO, "EAP-PWD: failed to allocate memory for "
 			   "group");
fix CVE-2019-9495 2020-02-04 08:53:30 +08:00			`diff -Nur orig-wpa_supplicant-2.6/src/eap_common/eap_pwd_common.c wpa_supplicant-2.6/src/eap_common/eap_pwd_common.c`
			`--- orig-wpa_supplicant-2.6/src/eap_common/eap_pwd_common.c 2020-02-04 00:21:51.805643103 +0800`
			`+++ wpa_supplicant-2.6/src/eap_common/eap_pwd_common.c 2020-02-04 00:30:16.612332185 +0800`
			`@@ -80,6 +80,26 @@`
			`return 0;`
			`}`

			`+EAP_PWD_group * get_eap_pwd_group(u16 num)`
			`+{`
			`+ EAP_PWD_group *grp;`
			`+`
			`+ grp = os_zalloc(sizeof(EAP_PWD_group));`
			`+ if (!grp)`
			`+ return NULL;`
			`+ grp->group = crypto_ec_init(num);`
			`+ if (!grp->group) {`
			`+ wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC group");`
			`+ os_free(grp);`
			`+ return NULL;`
			`+ }`
			`+`
			`+ grp->group_num = num;`
			`+ wpa_printf(MSG_INFO, "EAP-pwd: provisioned group %d", num);`
			`+`
			`+ return grp;`
			`+}`
			`++`

			`/*`
			`* compute a "random" secret point on an elliptic curve based`
			`@@ -97,12 +117,8 @@`
			`size_t primebytelen, primebitlen;`
			`struct crypto_bignum x_candidate = NULL, rnd = NULL, *cofactor = NULL;`

			`- grp->pwe = NULL;`
			`- grp->group = crypto_ec_init(num);`
			`- if (!grp->group) {`
			`- wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC group");`
			`- goto fail;`
			`- }`
			`+ if (grp->pwe)`
			`+ return -1;`

			`cofactor = crypto_bignum_init();`
			`grp->pwe = crypto_ec_point_init(grp->group);`
			`@@ -234,11 +250,8 @@`
			`break;`
			`}`
			`wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %d tries", ctr);`
			`- grp->group_num = num;`
			`if (0) {`
			`fail:`
			`- crypto_ec_deinit(grp->group);`
			`- grp->group = NULL;`
			`crypto_ec_point_deinit(grp->pwe, 1);`
			`grp->pwe = NULL;`
			`ret = 1;`
			`diff -Nur orig-wpa_supplicant-2.6/src/eap_common/eap_pwd_common.h wpa_supplicant-2.6/src/eap_common/eap_pwd_common.h`
			`--- orig-wpa_supplicant-2.6/src/eap_common/eap_pwd_common.h 2020-02-04 00:21:51.805643103 +0800`
			`+++ wpa_supplicant-2.6/src/eap_common/eap_pwd_common.h 2020-02-04 00:31:51.873594123 +0800`
			`@@ -50,6 +50,7 @@`
			`} STRUCT_PACKED;`

			`/* common routines */`
			`+EAP_PWD_group * get_eap_pwd_group(u16 num);`
			`int compute_password_element(EAP_PWD_group *grp, u16 num,`
			`const u8 *password, size_t password_len,`
			`const u8 *id_server, size_t id_server_len,`
			`diff -Nur orig-wpa_supplicant-2.6/src/eap_peer/eap_pwd.c wpa_supplicant-2.6/src/eap_peer/eap_pwd.c`
			`--- orig-wpa_supplicant-2.6/src/eap_peer/eap_pwd.c 2020-02-04 00:21:51.805643103 +0800`
			`+++ wpa_supplicant-2.6/src/eap_peer/eap_pwd.c 2020-02-04 00:33:35.694969340 +0800`
			`@@ -267,7 +267,7 @@`
			`wpa_hexdump_ascii(MSG_INFO, "EAP-PWD (peer): server sent id of",`
			`data->id_server, data->id_server_len);`

			`- data->grp = os_zalloc(sizeof(EAP_PWD_group));`
			`+ data->grp = get_eap_pwd_group(data->group_num);`
			`if (data->grp == NULL) {`
			`wpa_printf(MSG_INFO, "EAP-PWD: failed to allocate memory for "`
			`"group");`
			`diff -Nur orig-wpa_supplicant-2.6/src/eap_server/eap_server_pwd.c wpa_supplicant-2.6/src/eap_server/eap_server_pwd.c`
			`--- orig-wpa_supplicant-2.6/src/eap_server/eap_server_pwd.c 2020-02-04 00:21:51.805643103 +0800`
			`+++ wpa_supplicant-2.6/src/eap_server/eap_server_pwd.c 2020-02-04 00:34:34.975754518 +0800`
			`@@ -561,7 +561,7 @@`
			`wpa_hexdump_ascii(MSG_DEBUG, "EAP-PWD (server): peer sent id of",`
			`data->id_peer, data->id_peer_len);`

			`- data->grp = os_zalloc(sizeof(EAP_PWD_group));`
			`+ data->grp = get_eap_pwd_group(data->group_num);`
			`if (data->grp == NULL) {`
			`wpa_printf(MSG_INFO, "EAP-PWD: failed to allocate memory for "`
			`"group");`