!17 fix CVE-2021-27803

From: @angela7 Reviewed-by: @xiezhipeng1 Signed-off-by: @xiezhipeng1
2021-03-12 11:08:11 +08:00 · 2021-03-12 11:08:11 +08:00 · 0835829d66
commit 0835829d66
parent 78d8e617d1 2fd837fb71
2 changed files with 141 additions and 88 deletions
--- a/CVE-2021-27803.patch
+++ b/CVE-2021-27803.patch
@ -0,0 +1,50 @@
 From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <jouni@codeaurora.org>
 Date: Tue, 8 Dec 2020 23:52:50 +0200
 Subject: P2P: Fix a corner case in peer addition based on PD Request
 p2p_add_device() may remove the oldest entry if there is no room in the
 peer table for a new peer. This would result in any pointer to that
 removed entry becoming stale. A corner case with an invalid PD Request
 frame could result in such a case ending up using (read+write) freed
 memory. This could only by triggered when the peer table has reached its
 maximum size and the PD Request frame is received from the P2P Device
 Address of the oldest remaining entry and the frame has incorrect P2P
 Device Address in the payload.
 Fix this by fetching the dev pointer again after having called
 p2p_add_device() so that the stale pointer cannot be used.
 Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
 ---
 src/p2p/p2p_pd.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)
 diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
 index 3994ec0..05fd593 100644
 --- a/src/p2p/p2p_pd.c
 +++ b/src/p2p/p2p_pd.c
@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
 			goto out;
 		}
 +		dev = p2p_get_device(p2p, sa);
 		if (!dev) {
 -			dev = p2p_get_device(p2p, sa);
 -			if (!dev) {
 -				p2p_dbg(p2p,
 -					"Provision Discovery device not found "
 -					MACSTR, MAC2STR(sa));
 -				goto out;
 -			}
 +			p2p_dbg(p2p,
 +				"Provision Discovery device not found "
 +				MACSTR, MAC2STR(sa));
 +			goto out;
 		}
 	} else if (msg.wfd_subelems) {
 		wpabuf_free(dev->info.wfd_subelems);
 -- 
 cgit v0.12
--- a/wpa_supplicant.spec
+++ b/wpa_supplicant.spec
@ -1,9 +1,9 @@
 Name:          wpa_supplicant
 Epoch:         1
 Version:       2.6
-Release:       27
+Release:       28
 Summary:       A WPA Supplicant with support for WPA and WPA2 (IEEE 802.11i / RSN)
-License:       BSD
+License:       BSD or GPLv2
 Url:           https://w1.fi/wpa_supplicant/
 Source0:       http://w1.fi/releases/%{name}-%{version}.tar.gz
 Source1:       build-config
@ -13,92 +13,92 @@ Source5:       %{name}.logrotate
 #patches number ranging between [0,6000) are from fedora/redhat upstream
 #patches number ranging between [6000,9000) are backport from higher versions, including some CVE fixes
-Patch6000:     macsec-0001-mka-Move-structs-transmit-receive-_-sa-sc-to-a-commo.patch
+Patch0:        macsec-0001-mka-Move-structs-transmit-receive-_-sa-sc-to-a-commo.patch
-Patch6001:     macsec-0002-mka-Pass-full-structures-down-to-macsec-drivers-pack.patch
+Patch1:        macsec-0002-mka-Pass-full-structures-down-to-macsec-drivers-pack.patch
-Patch6002:     macsec-0003-mka-Pass-full-structures-down-to-macsec-drivers-tran.patch
+Patch2:        macsec-0003-mka-Pass-full-structures-down-to-macsec-drivers-tran.patch
-Patch6003:     macsec-0004-mka-Pass-full-structures-down-to-macsec-drivers-rece.patch
+Patch3:        macsec-0004-mka-Pass-full-structures-down-to-macsec-drivers-rece.patch
-Patch6004:     macsec-0005-mka-Pass-full-structures-down-to-macsec-drivers-tran.patch
+Patch4:        macsec-0005-mka-Pass-full-structures-down-to-macsec-drivers-tran.patch
-Patch6005:     macsec-0006-mka-Pass-full-structures-down-to-macsec-drivers-rece.patch
+Patch5:        macsec-0006-mka-Pass-full-structures-down-to-macsec-drivers-rece.patch
-Patch6006:     macsec-0007-mka-Add-driver-op-to-get-macsec-capabilities.patch
+Patch6:        macsec-0007-mka-Add-driver-op-to-get-macsec-capabilities.patch
-Patch6007:     macsec-0008-mka-Remove-channel-hacks-from-the-stack-and-the-macs.patch
+Patch7:        macsec-0008-mka-Remove-channel-hacks-from-the-stack-and-the-macs.patch
-Patch6008:     macsec-0009-mka-Sync-structs-definitions-with-IEEE-Std-802.1X-20.patch
+Patch8:        macsec-0009-mka-Sync-structs-definitions-with-IEEE-Std-802.1X-20.patch
-Patch6009:     macsec-0010-mka-Add-support-for-removing-SAs.patch
+Patch9:        macsec-0010-mka-Add-support-for-removing-SAs.patch
-Patch6010:     macsec-0011-mka-Implement-reference-counting-on-data_key.patch
+Patch10:       macsec-0011-mka-Implement-reference-counting-on-data_key.patch
-Patch6011:     macsec-0012-mka-Fix-getting-capabilities-from-the-driver.patch
+Patch11:       macsec-0012-mka-Fix-getting-capabilities-from-the-driver.patch
-Patch6012:     macsec-0013-wpa_supplicant-Allow-pre-shared-CAK-CKN-pair-for-MKA.patch
+Patch12:       macsec-0013-wpa_supplicant-Allow-pre-shared-CAK-CKN-pair-for-MKA.patch
-Patch6013:     macsec-0014-mka-Disable-peer-detection-timeout-for-PSK-mode.patch
+Patch13:       macsec-0014-mka-Disable-peer-detection-timeout-for-PSK-mode.patch
-Patch6014:     macsec-0015-wpa_supplicant-Add-macsec_integ_only-setting-for-MKA.patch
+Patch14:       macsec-0015-wpa_supplicant-Add-macsec_integ_only-setting-for-MKA.patch
-Patch6015:     macsec-0016-mka-Add-enable_encrypt-op-and-call-it-from-CP-state-.patch
+Patch15:       macsec-0016-mka-Add-enable_encrypt-op-and-call-it-from-CP-state-.patch
-Patch6016:     macsec-0017-wpa_supplicant-Allow-configuring-the-MACsec-port-for.patch
+Patch16:       macsec-0017-wpa_supplicant-Allow-configuring-the-MACsec-port-for.patch
-Patch6017:     macsec-0018-drivers-Move-common-definitions-for-wired-drivers-ou.patch
+Patch17:       macsec-0018-drivers-Move-common-definitions-for-wired-drivers-ou.patch
-Patch6018:     macsec-0019-drivers-Move-wired_multicast_membership-to-a-common-.patch
+Patch18:       macsec-0019-drivers-Move-wired_multicast_membership-to-a-common-.patch
-Patch6019:     macsec-0020-drivers-Move-driver_wired_multi-to-a-common-file.patch
+Patch19:       macsec-0020-drivers-Move-driver_wired_multi-to-a-common-file.patch
-Patch6020:     macsec-0021-drivers-Move-driver_wired_get_ifflags-to-a-common-fi.patch
+Patch20:       macsec-0021-drivers-Move-driver_wired_get_ifflags-to-a-common-fi.patch
-Patch6021:     macsec-0022-drivers-Move-driver_wired_set_ifflags-to-a-common-fi.patch
+Patch21:       macsec-0022-drivers-Move-driver_wired_set_ifflags-to-a-common-fi.patch
-Patch6022:     macsec-0023-drivers-Move-driver_wired_get_ifstatus-to-a-common-f.patch
+Patch22:       macsec-0023-drivers-Move-driver_wired_get_ifstatus-to-a-common-f.patch
-Patch6023:     macsec-0024-drivers-Move-driver_wired_init_common-to-a-common-fi.patch
+Patch23:       macsec-0024-drivers-Move-driver_wired_init_common-to-a-common-fi.patch
-Patch6024:     macsec-0025-drivers-Move-driver_wired_deinit_common-to-a-common-.patch
+Patch24:       macsec-0025-drivers-Move-driver_wired_deinit_common-to-a-common-.patch
-Patch6025:     macsec-0026-drivers-Move-driver_wired_get_capa-to-a-common-file.patch
+Patch25:       macsec-0026-drivers-Move-driver_wired_get_capa-to-a-common-file.patch
-Patch6026:     macsec-0027-drivers-Move-driver_wired_get_bssid-to-a-common-file.patch
+Patch26:       macsec-0027-drivers-Move-driver_wired_get_bssid-to-a-common-file.patch
-Patch6027:     macsec-0028-drivers-Move-driver_wired_get_ssid-to-a-common-file.patch
+Patch27:       macsec-0028-drivers-Move-driver_wired_get_ssid-to-a-common-file.patch
-Patch6028:     macsec-0029-macsec_linux-Add-a-driver-for-macsec-on-Linux-kernel.patch
+Patch28:       macsec-0029-macsec_linux-Add-a-driver-for-macsec-on-Linux-kernel.patch
-Patch6029:     macsec-0030-mka-Remove-references-to-macsec_qca-from-wpa_supplic.patch
+Patch29:       macsec-0030-mka-Remove-references-to-macsec_qca-from-wpa_supplic.patch
-Patch6030:     macsec-0031-PAE-Make-KaY-specific-details-available-via-control-.patch
+Patch30:       macsec-0031-PAE-Make-KaY-specific-details-available-via-control-.patch
-Patch6031:     macsec-0032-mka-Make-MKA-actor-priority-configurable.patch
+Patch31:       macsec-0032-mka-Make-MKA-actor-priority-configurable.patch
-Patch6032:     macsec-0033-mka-Fix-an-incorrect-update-of-participant-to_use_sa.patch
+Patch32:       macsec-0033-mka-Fix-an-incorrect-update-of-participant-to_use_sa.patch
-Patch6033:     macsec-0034-mka-Some-bug-fixes-for-MACsec-in-PSK-mode.patch
+Patch33:       macsec-0034-mka-Some-bug-fixes-for-MACsec-in-PSK-mode.patch
-Patch6034:     macsec-0035-mka-Send-MKPDUs-forever-if-mode-is-PSK.patch
+Patch34:       macsec-0035-mka-Send-MKPDUs-forever-if-mode-is-PSK.patch
-Patch6035:     macsec-0036-mka-Fix-the-order-of-operations-in-secure-channel-de.patch
+Patch35:       macsec-0036-mka-Fix-the-order-of-operations-in-secure-channel-de.patch
-Patch6036:     macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch
+Patch36:       macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch
-Patch6037:     macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch
+Patch37:       macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch
-Patch6038:     macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch
+Patch38:       macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch
-Patch6039:     rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
+Patch39:       rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
-Patch6040:     rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
+Patch40:       rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
-Patch6041:     rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
+Patch41:       rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
-Patch6042:     rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
+Patch42:       rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
-Patch6043:     rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
+Patch43:       rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
-Patch6044:     rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
+Patch44:       rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
-Patch6045:     rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
+Patch45:       rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
-Patch6046:     rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
+Patch46:       rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
-Patch6047:     rh1451834-nl80211-Fix-race-condition-in-detecting-MAC-change.patch
+Patch47:       rh1451834-nl80211-Fix-race-condition-in-detecting-MAC-change.patch
-Patch6048:     rh1462262-use-system-openssl-ciphers.patch
+Patch48:       rh1462262-use-system-openssl-ciphers.patch
-Patch6049:     rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch
+Patch49:       rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch
-Patch6050:     rh1497640-mka-add-error-handling-for-secy_init_macsec.patch
+Patch50:       rh1497640-mka-add-error-handling-for-secy_init_macsec.patch
-Patch6051:     rh1497640-pae-validate-input-before-pointer.patch
+Patch51:       rh1497640-pae-validate-input-before-pointer.patch
-Patch6052:     rh1567474-0002-D-Bus-Add-pmf-to-global-capabilities.patch
+Patch52:       rh1567474-0002-D-Bus-Add-pmf-to-global-capabilities.patch
-Patch6053:     rh1570903-nl80211-Fix-NL80211_ATTR_SMPS_MODE-encoding.patch
+Patch53:       rh1570903-nl80211-Fix-NL80211_ATTR_SMPS_MODE-encoding.patch
-Patch6054:     CVE-2019-9496-SAE-Fix-confirm-message-validation-in-error-cases.patch
+Patch54:       CVE-2019-9496-SAE-Fix-confirm-message-validation-in-error-cases.patch
-Patch6055:     CVE-2019-9494-1.patch
+Patch55:       CVE-2019-9494-1.patch
-Patch6056:     CVE-2019-9494-2.patch
+Patch56:       CVE-2019-9494-2.patch
-Patch6057:     CVE-2019-9494-3.patch
+Patch57:       CVE-2019-9494-3.patch
-Patch6058:     CVE-2019-9494-4.patch
+Patch58:       CVE-2019-9494-4.patch
-Patch6059:     CVE-2019-9494-5.patch
+Patch59:       CVE-2019-9494-5.patch
-Patch6060:     CVE-2019-9494-6.patch
+Patch60:       CVE-2019-9494-6.patch
-Patch6061:     CVE-2019-9494-7.patch
+Patch61:       CVE-2019-9494-7.patch
-Patch6062:     CVE-2019-9494-8.patch
+Patch62:       CVE-2019-9494-8.patch
-Patch6063:     CVE-2019-16275.patch
+Patch63:       CVE-2019-16275.patch
-Patch6064:     CVE-2019-9497.patch
+Patch64:       CVE-2019-9497.patch
-Patch6065:     CVE-2019-9498-and-CVE-2019-9499.patch
+Patch65:       CVE-2019-9498-and-CVE-2019-9499.patch
-Patch6066:     CVE-2019-11555-1.patch
+Patch66:       CVE-2019-11555-1.patch
-Patch6067:     CVE-2019-11555-2.patch
+Patch67:       CVE-2019-11555-2.patch
-Patch6068:     rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
+Patch68:       rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
-Patch6069:     CVE-2019-9499.patch
+Patch69:       CVE-2019-9499.patch
-Patch6070:     CVE-2019-9495-pre1.patch
+Patch70:       CVE-2019-9495-pre1.patch
-Patch6071:     CVE-2019-9495-pre2.patch
+Patch71:       CVE-2019-9495-pre2.patch
-Patch6072:     CVE-2019-9495-pre3.patch
+Patch72:       CVE-2019-9495-pre3.patch
-Patch6073:     CVE-2019-9495.patch
+Patch73:       CVE-2019-9495.patch
-Patch6074:     CVE-2019-13377-1.patch
+Patch74:       CVE-2019-13377-1.patch
-Patch6075:     CVE-2019-13377-2-pre1.patch
+Patch75:       CVE-2019-13377-2-pre1.patch
-Patch6076:     CVE-2019-13377-2-pre.patch
+Patch76:       CVE-2019-13377-2-pre.patch
-Patch6077:     CVE-2019-13377-2.patch
+Patch77:       CVE-2019-13377-2.patch
-Patch6078:     CVE-2019-13377-3.patch
+Patch78:       CVE-2019-13377-3.patch
-Patch6079:     CVE-2019-13377-4.patch
+Patch79:       CVE-2019-13377-4.patch
-Patch60710:    CVE-2019-13377-5.patch
+Patch80:       CVE-2019-13377-5.patch
-Patch60711:    CVE-2019-13377-6-pre.patch
+Patch81:       CVE-2019-13377-6-pre.patch
-Patch60712:    CVE-2019-13377-6.patch
+Patch82:       CVE-2019-13377-6.patch
-
+Patch83:       add-options-of-wpa_supplicant-service.patch
-Patch9000:     add-options-of-wpa_supplicant-service.patch
+Patch84:       allow-to-override-names-of-qt4-tools.patch
-Patch9001:     allow-to-override-names-of-qt4-tools.patch
+Patch85:       CVE-2021-27803.patch
 BuildRequires: qt-devel >= 4.0 openssl-devel readline-devel dbus-devel libnl3-devel systemd-units docbook-utils
 Requires(post): systemd-sysv
@ -192,6 +192,9 @@ install -m644 %{name}/doc/docbook/*.5 %{buildroot}%{_mandir}/man5
 %{_mandir}/man5/*
 %changelog
 * Thu Mar 11 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:2.6-28
 - fix CVE-2021-27803
 * Thu Dec 24 2020 wuchaochao <wuchaochao4@huawei.com> - 1:2.6-27
 - Type:cves
 - ID: CVE-2019-13377