From patchwork Wed Sep 5 06:03:34 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sarada Prasanna Garnayak X-Patchwork-Id: 966223 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=198.137.202.133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="b8ZwVwfE"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 424tSf6qZTz9sCf for ; Wed, 5 Sep 2018 16:04:18 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=9udnNoCRC5rZYuDC225x3YsBlEuenzSufxUpaaWVDE8=; b=b8Z wVwfEjCt9iH9lVbMrNBxEzx2T2XPG9JcWym12fPFwl4AkPdUL4qLleDByijySNhGHVnbnaUgPbAg1 MJkFxO+nJNA0MYIdHmzopVNLGCShMEcBqnwSmqL07YOFf/KeJjrdx6LXx31fNFzjXrBVEiJTXE0jN 8w0Je3lFYc1CBiQD+Qt8YvvEaC7bVN6nR+DaY6i05zp7uv6m1tEc5tnMaSB4pCpyFgIrdDsZZAiqe bOQroNnHSbN0PWBYjt7J4U/hnLxJLEW8yLji/BBPyOby9kHNE9hu6S9excFDI3yBQac0weR4oL2uK /Z19ktQ7S8R5IjqfE8DmK6JuDuAcaxA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1fxQuz-0003lC-Sh; Wed, 05 Sep 2018 06:03:57 +0000 Received: from mga09.intel.com ([134.134.136.24]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1fxQuv-0003jD-V9 for hostap@lists.infradead.org; Wed, 05 Sep 2018 06:03:55 +0000 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 04 Sep 2018 23:03:41 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,332,1531810800"; d="scan'208";a="87276718" Received: from inlubt0043.iind.intel.com ([10.223.47.124]) by fmsmga001.fm.intel.com with ESMTP; 04 Sep 2018 23:03:37 -0700 From: Sarada Prasanna Garnayak To: hostap@lists.infradead.org Subject: [PATCH] [PATCH]hostapd:Fix potential buffer overflow and null pointer dereference Date: Wed, 5 Sep 2018 11:33:34 +0530 Message-Id: <20180905060334.53417-1-sarada.prasanna.garnayak@intel.com> X-Mailer: git-send-email 2.11.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180904_230354_049846_22054F8D X-CRM114-Status: GOOD ( 14.75 ) X-Spam-Score: -5.0 (-----) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-5.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/, high trust [134.134.136.24 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sarada Prasanna Garnayak MIME-Version: 1.0 Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org 1.The event_dequeue() returns NULL as an error, so add check against NULL pointer before dereference. 2.Use max attribute length macro as size for buffer to store the radius attributes to avoid the potential buffer overflow & underflow. 3.Clean the uninitialized memory before use. 4.Typecast the operand into compatible data type before the bitwise operation. Signed-off-by: Sarada Prasanna Garnayak --- src/ap/accounting.c | 2 +- src/ap/ieee802_1x.c | 2 +- src/ap/wpa_auth_ie.c | 1 + src/radius/radius.c | 2 +- src/wps/wps_registrar.c | 3 ++- src/wps/wps_upnp_event.c | 2 ++ 6 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/ap/accounting.c b/src/ap/accounting.c index 0aacc3c95..69169375d 100644 --- a/src/ap/accounting.c +++ b/src/ap/accounting.c @@ -36,7 +36,7 @@ static struct radius_msg * accounting_msg(struct hostapd_data *hapd, int status_type) { struct radius_msg *msg; - char buf[128]; + char buf[RADIUS_MAX_ATTR_LEN]; u8 *val; size_t len; int i; diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index 985f8b787..52c211cc8 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -503,7 +503,7 @@ int add_common_radius_attr(struct hostapd_data *hapd, struct sta_info *sta, struct radius_msg *msg) { - char buf[128]; + char buf[RADIUS_MAX_ATTR_LEN]; struct hostapd_radius_attr *attr; int len; diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c index 421dd5a6f..a753376c9 100644 --- a/src/ap/wpa_auth_ie.c +++ b/src/ap/wpa_auth_ie.c @@ -428,6 +428,7 @@ int wpa_auth_gen_wpa_ie(struct wpa_authenticator *wpa_auth) u8 *pos, buf[128]; int res; + memset(buf, 0, sizeof(buf)); #ifdef CONFIG_TESTING_OPTIONS if (wpa_auth->conf.own_ie_override_len) { wpa_hexdump(MSG_DEBUG, "WPA: Forced own IE(s) for testing", diff --git a/src/radius/radius.c b/src/radius/radius.c index 07240ea22..63be0d732 100644 --- a/src/radius/radius.c +++ b/src/radius/radius.c @@ -1343,7 +1343,7 @@ radius_msg_add_attr_user_password(struct radius_msg *msg, const u8 *data, size_t data_len, const u8 *secret, size_t secret_len) { - u8 buf[128]; + u8 buf[RADIUS_MAX_ATTR_LEN]; int res; res = radius_user_password_hide(msg, data, data_len, diff --git a/src/wps/wps_registrar.c b/src/wps/wps_registrar.c index 379925e3f..ed8c1d1e2 100644 --- a/src/wps/wps_registrar.c +++ b/src/wps/wps_registrar.c @@ -3424,7 +3424,8 @@ static void wps_registrar_sel_reg_add(struct wps_registrar *reg, reg->sel_reg_dev_password_id_override = s->dev_password_id; if (reg->sel_reg_config_methods_override == -1) reg->sel_reg_config_methods_override = 0; - reg->sel_reg_config_methods_override |= s->config_methods; + reg->sel_reg_config_methods_override |= + (int)(unsigned)s->config_methods; for (i = 0; i < WPS_MAX_AUTHORIZED_MACS; i++) if (is_zero_ether_addr(reg->authorized_macs_union[i])) break; diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c index 94aae7542..f1f981138 100644 --- a/src/wps/wps_upnp_event.c +++ b/src/wps/wps_upnp_event.c @@ -282,6 +282,8 @@ static int event_send_start(struct subscription *s) return -1; s->current_event = e = event_dequeue(s); + if (!e) + return -1; /* Use address according to number of retries */ itry = 0;