[src/trunk]: src/external/bsd/wpa/dist/wpa_supplicant Apply patch by Jouni Ma...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/external/bsd/wpa/dist/wpa_supplicant Apply patch by Jouni Ma...
From: christos <christos%NetBSD.org@localhost>
Date: Tue, 31 Jul 2018 19:44:07 +0000

details:   https://anonhg.NetBSD.org/src/rev/15c159b321ab
branches:  trunk
changeset: 341534:15c159b321ab
user:      christos <christos%NetBSD.org@localhost>
date:      Tue Nov 10 18:39:40 2015 +0000

description:
Apply patch by Jouni Malinen. We don't have CONFIG_EAP_PWD enabled so we are
not affected:

EAP-pwd peer error path failure on unexpected Confirm message

Published: November 10, 2015
Identifier: CVE-2015-5316
Latest version available from: http://w1.fi/security/2015-8/

Vulnerability

A vulnerability was found in EAP-pwd peer implementation used in
wpa_supplicant. If an EAP-pwd Confirm message is received unexpectedly
before the Identity exchange, the error path processing ended up
dereferencing a NULL pointer and terminating the process.

For wpa_supplicant with EAP-pwd enabled in a network configuration
profile, this could allow a denial of service attack by an attacker
within radio range.

Vulnerable versions/configurations

wpa_supplicant v2.3-v2.5 with CONFIG_EAP_PWD=y in the build
configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network
profile at runtime.

Possible mitigation steps

- Merge the following commits and rebuild wpa_supplicant:

  EAP-pwd peer: Fix error path for unexpected Confirm message

  This patch is available from http://w1.fi/security/2015-8/

- Update to wpa_supplicant v2.6 or newer, once available

- Remove CONFIG_EAP_PWD=y from build configuration

- Disable EAP-pwd in runtime configuration

diffstat:

 external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c |  6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diffs (16 lines):

diff -r a218047edde7 -r 15c159b321ab external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c
--- a/external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c    Tue Nov 10 18:22:46 2015 +0000
+++ b/external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c    Tue Nov 10 18:39:40 2015 +0000
@@ -187,6 +187,12 @@
        end = ptr + key_len_total;
        wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total);
 
+       if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) {
+               wpa_msg(wpa_s, MSG_INFO,
+                       "WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled");
+               return;
+       }
+
        while (ptr + 1 < end) {
                if (ptr + 2 + ptr[1] > end) {
                        wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element "

Prev by Date: [src/trunk]: src/tests/lib/libc/rpc CID 1338516: Handle svc_run() returning.
Next by Date: [src/trunk]: src/external/mit/ctwm/bin/ctwm fix default pixmap search directory
Previous by Thread: [src/trunk]: src/tests/lib/libc/rpc CID 1338516: Handle svc_run() returning.
Next by Thread: [src/trunk]: src/external/mit/ctwm/bin/ctwm fix default pixmap search directory
Indexes:

Home | Main Index | Thread Index | Old Index