[src/trunk]: src/external/bsd/wpa/dist/src/common Explicitly verify that own ...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/external/bsd/wpa/dist/src/common Explicitly verify that own ...
From: christos <christos%NetBSD.org@localhost>
Date: Mon, 08 Nov 2021 08:07:18 +0000

details:   https://anonhg.NetBSD.org/src/rev/cfb5966623bd
branches:  trunk
changeset: 998199:cfb5966623bd
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Apr 10 17:52:46 2019 +0000

description:
Explicitly verify that own and peer commit scalar/element are available
when trying to check SAE confirm message. It could have been possible to
hit a NULL pointer dereference if the peer element could not have been
parsed. (CVE-2019-9496)

diffstat:

 external/bsd/wpa/dist/src/common/sae.c |  14 +++++++++++---
 1 files changed, 11 insertions(+), 3 deletions(-)

diffs (38 lines):

diff -r d8e3167d1352 -r cfb5966623bd external/bsd/wpa/dist/src/common/sae.c
--- a/external/bsd/wpa/dist/src/common/sae.c    Wed Apr 10 17:50:27 2019 +0000
+++ b/external/bsd/wpa/dist/src/common/sae.c    Wed Apr 10 17:52:46 2019 +0000
@@ -1394,23 +1394,31 @@
 
        wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data));
 
-       if (sae->tmp == NULL) {
+       if (!sae->tmp || !sae->peer_commit_scalar ||
+           !sae->tmp->own_commit_scalar) {
                wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available");
                return -1;
        }
 
-       if (sae->tmp->ec)
+       if (sae->tmp->ec) {
+               if (!sae->tmp->peer_commit_element_ecc ||
+                   !sae->tmp->own_commit_element_ecc)
+                       return -1;
                sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
                                   sae->tmp->peer_commit_element_ecc,
                                   sae->tmp->own_commit_scalar,
                                   sae->tmp->own_commit_element_ecc,
                                   verifier);
-       else
+       } else {
+               if (!sae->tmp->peer_commit_element_ffc ||
+                   !sae->tmp->own_commit_element_ffc)
+                       return -1;
                sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
                                   sae->tmp->peer_commit_element_ffc,
                                   sae->tmp->own_commit_scalar,
                                   sae->tmp->own_commit_element_ffc,
                                   verifier);
+       }
 
        if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) {
                wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");

Prev by Date: [src/trunk]: src/external/bsd/wpa/dist/src This adds an explicit check for 0 ...
Next by Date: [src/trunk]: src/external/bsd/wpa/dist/src/crypto This helps in reducing meas...
Previous by Thread: [src/trunk]: src/external/bsd/wpa/dist/src This adds an explicit check for 0 ...
Next by Thread: [src/trunk]: src/external/bsd/wpa/dist/src/crypto This helps in reducing meas...
Indexes:

Home | Main Index | Thread Index | Old Index