From patchwork Fri Apr 24 07:08:46 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Baruch Siach <baruch@tkos.co.il>
X-Patchwork-Id: 464142
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from fraxinus.osuosl.org (fraxinus.osuosl.org [140.211.166.137])
	by ozlabs.org (Postfix) with ESMTP id 65B021400B7
	for <incoming@patchwork.ozlabs.org>;
	Fri, 24 Apr 2015 17:09:54 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by fraxinus.osuosl.org (Postfix) with ESMTP id 944C7A2480;
	Fri, 24 Apr 2015 07:09:53 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id PoNtH3MDOvyr; Fri, 24 Apr 2015 07:09:51 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by fraxinus.osuosl.org (Postfix) with ESMTP id 06A6BA2185;
	Fri, 24 Apr 2015 07:09:51 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from whitealder.osuosl.org (whitealder.osuosl.org
	[140.211.166.138])
	by ash.osuosl.org (Postfix) with ESMTP id AADF61C25CA
	for <buildroot@lists.busybox.net>;
	Fri, 24 Apr 2015 07:09:50 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id A728A909B9
	for <buildroot@lists.busybox.net>;
	Fri, 24 Apr 2015 07:09:50 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id cXUVwVTJoNqf for <buildroot@lists.busybox.net>;
	Fri, 24 Apr 2015 07:09:49 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mx.tkos.co.il (guitar.tcltek.co.il [192.115.133.116])
	by whitealder.osuosl.org (Postfix) with ESMTPS id B8B939098A
	for <buildroot@busybox.net>; Fri, 24 Apr 2015 07:09:48 +0000 (UTC)
Received: from tarshish.tkos.co.il (unknown [10.0.8.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(No client certificate requested)
	by mx.tkos.co.il (Postfix) with ESMTPSA id 36FD14403E6;
	Fri, 24 Apr 2015 10:09:44 +0300 (IDT)
From: Baruch Siach <baruch@tkos.co.il>
To: buildroot@busybox.net
Date: Fri, 24 Apr 2015 10:08:46 +0300
Message-Id: 
 <ae747360e1b88e5f8f2ecfd38130aebc21a73682.1429859326.git.baruch@tkos.co.il>
X-Mailer: git-send-email 2.1.4
Subject: [Buildroot] [PATCH] wpa_supplicant: add fix for CVE-2015-1863
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Add upstream patch fixing CVE-2015-1863: buffer overflow of SSID buffer within
struct p2p_device that is allocated from heap.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
 ...e-SSID-element-length-before-copying-it-C.patch | 45 ++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 package/wpa_supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch

diff --git a/package/wpa_supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch b/package/wpa_supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
new file mode 100644
index 000000000000..989bc4f786a3
--- /dev/null
+++ b/package/wpa_supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
@@ -0,0 +1,45 @@
+From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Tue, 7 Apr 2015 11:32:11 +0300
+Subject: [PATCH] P2P: Validate SSID element length before copying it
+ (CVE-2015-1863)
+
+Upstream commit 9ed4eee345f85e3025c33c6e20aa25696e341ccd.
+
+This fixes a possible memcpy overflow for P2P dev->oper_ssid in
+p2p_add_device(). The length provided by the peer device (0..255 bytes)
+was used without proper bounds checking and that could have resulted in
+arbitrary data of up to 223 bytes being written beyond the end of the
+dev->oper_ssid[] array (of which about 150 bytes would be beyond the
+heap allocation) when processing a corrupted management frame for P2P
+peer discovery purposes.
+
+This could result in corrupted state in heap, unexpected program
+behavior due to corrupted P2P peer device information, denial of service
+due to process crash, exposure of memory contents during GO Negotiation,
+and potentially arbitrary code execution.
+
+Thanks to Google security team for reporting this issue and smart
+hardware research group of Alibaba security team for discovering it.
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+ src/p2p/p2p.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
+index f584fae..a45fe73 100644
+--- a/src/p2p/p2p.c
++++ b/src/p2p/p2p.c
+@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq,
+ 	if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)
+ 		os_memcpy(dev->interface_addr, addr, ETH_ALEN);
+ 	if (msg.ssid &&
++	    msg.ssid[1] <= sizeof(dev->oper_ssid) &&
+ 	    (msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
+ 	     os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
+ 	     != 0)) {
+-- 
+1.9.1
+