Verified Commit 7a06f6e7 authored by Jan Pavlinec's avatar Jan Pavlinec
Browse files

hostapd: add patch to fix P2P group information processing vulnerability

A vulnerability was discovered in how wpa_supplicant processing P2P
(Wi-Fi Direct) group information from active group owners.
This issue was discovered by fuzz testing of wpa_supplicant by Google's
OSS-Fuzz.

https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt

Signed-off-by: Daniel Golle's avatarDaniel Golle <daniel@makrotopia.org>
[added the missing patch]
Signed-off-by: Petr Štetiar's avatarPetr Štetiar <ynezz@true.cz>
(cherry-picked from commit 7c8c4f1)
Signed-off-by: Jan Pavlinec's avatarJan Pavlinec <jan.pavlinec@nic.cz>
parent 7f4d23ff
......@@ -7,7 +7,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=hostapd
PKG_RELEASE:=8
PKG_RELEASE:=9
PKG_SOURCE_URL:=http://w1.fi/hostap.git
PKG_SOURCE_PROTO:=git
......
From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Mon, 9 Nov 2020 11:43:12 +0200
Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
client
Parsing and copying of WPS secondary device types list was verifying
that the contents is not too long for the internal maximum in the case
of WPS messages, but similar validation was missing from the case of P2P
group information which encodes this information in a different
attribute. This could result in writing beyond the memory area assigned
for these entries and corrupting memory within an instance of struct
p2p_device. This could result in invalid operations and unexpected
behavior when trying to free pointers from that corrupted memory.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/p2p/p2p.c | 2 ++
1 file changed, 2 insertions(+)
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct
dev->info.config_methods = cli->config_methods;
os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
dev->info.wps_sec_dev_type_list_len);
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment