packages/wpa_supplicant
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-0326

Browse Source
This commit is contained in:
gaoyusong 2021-09-22 17:29:21 +08:00
parent 0835829d66
commit 237a344e72
2 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
CVE-2021-0326.patch Normal file
View File

@ -0,0 +1,38 @@
From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Mon, 9 Nov 2020 11:43:12 +0200
Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
client
Parsing and copying of WPS secondary device types list was verifying
that the contents is not too long for the internal maximum in the case
of WPS messages, but similar validation was missing from the case of P2P
group information which encodes this information in a different
attribute. This could result in writing beyond the memory area assigned
for these entries and corrupting memory within an instance of struct
p2p_device. This could result in invalid operations and unexpected
behavior when trying to free pointers from that corrupted memory.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/p2p/p2p.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index 74b7b52..5cbfc21 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
dev->info.config_methods = cli->config_methods;
os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
dev->info.wps_sec_dev_type_list_len);
}
--
1.8.3.1

9
wpa_supplicant.spec
View File

@ -1,7 +1,7 @@
Name: wpa_supplicant Name: wpa_supplicant
Epoch: 1 Epoch: 1
Version: 2.6 Version: 2.6
Release: 28 Release: 29
Summary: A WPA Supplicant with support for WPA and WPA2 (IEEE 802.11i / RSN) Summary: A WPA Supplicant with support for WPA and WPA2 (IEEE 802.11i / RSN)
License: BSD or GPLv2 License: BSD or GPLv2
Url: https://w1.fi/wpa_supplicant/ Url: https://w1.fi/wpa_supplicant/
@ -99,6 +99,7 @@ Patch82: CVE-2019-13377-6.patch
Patch83: add-options-of-wpa_supplicant-service.patch Patch83: add-options-of-wpa_supplicant-service.patch
Patch84: allow-to-override-names-of-qt4-tools.patch Patch84: allow-to-override-names-of-qt4-tools.patch
Patch85: CVE-2021-27803.patch Patch85: CVE-2021-27803.patch
Patch86: CVE-2021-0326.patch
BuildRequires: qt-devel >= 4.0 openssl-devel readline-devel dbus-devel libnl3-devel systemd-units docbook-utils BuildRequires: qt-devel >= 4.0 openssl-devel readline-devel dbus-devel libnl3-devel systemd-units docbook-utils
Requires(post): systemd-sysv Requires(post): systemd-sysv
@ -192,6 +193,12 @@ install -m644 %{name}/doc/docbook/*.5 %{buildroot}%{_mandir}/man5
%{_mandir}/man5/* %{_mandir}/man5/*
%changelog %changelog
* Wed Sep 22 2021 gaoyusong <gaoyusong1@huawei.com> - 1:2.6-29
- Type:cves
- ID: CVE-2021-0326
- SUG:NA
- DESC: fix CVE-2021-0326
* Thu Mar 11 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:2.6-28 * Thu Mar 11 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:2.6-28
- fix CVE-2021-27803 - fix CVE-2021-27803