mirror of
git://slackware.nl/current.git
synced 2025-02-14 08:48:37 +01:00
527328c5da
a/kernel-generic-4.19.13-x86_64-1.txz: Upgraded. a/kernel-huge-4.19.13-x86_64-1.txz: Upgraded. a/kernel-modules-4.19.13-x86_64-1.txz: Upgraded. d/doxygen-1.8.15-x86_64-1.txz: Upgraded. d/kernel-headers-4.19.13-x86-1.txz: Upgraded. k/kernel-source-4.19.13-noarch-1.txz: Upgraded. FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER y -> n l/libsecret-0.18.7-x86_64-1.txz: Upgraded. n/wpa_supplicant-2.6-x86_64-6.txz: Upgraded. It seems we're not the only ones with broken WPA2-Enterprise support with wpa_supplicant-2.7, so we'll fix it the same way as everyone else - by reverting to wpa_supplicant-2.6 for now. isolinux/initrd.img: Rebuilt. kernels/*: Upgraded. testing/packages/wpa_supplicant-2.7-x86_64-2.txz: Upgraded. Applied a patch from Gentoo to allow building CONFIG_IEEE80211X=y without the experimental CONFIG_FILS=y option. usb-and-pxe-installers/usbboot.img: Rebuilt.
78 lines
2.8 KiB
Diff
78 lines
2.8 KiB
Diff
From 0ad5893a2f1f521d44712cd395e067ccf0a397c3 Mon Sep 17 00:00:00 2001
|
|
From: Michael Braun <michael-dev@fami-braun.de>
|
|
Date: Fri, 18 Aug 2017 01:14:28 +0200
|
|
Subject: PAE: Validate input before pointer
|
|
|
|
ieee802_1x_kay_decode_mkpdu() calls ieee802_1x_mka_i_in_peerlist()
|
|
before body_len has been checked on all segments.
|
|
|
|
ieee802_1x_kay_decode_mkpdu() and ieee802_1x_mka_i_in_peerlist() might
|
|
continue and thus underflow left_len even if it finds left_len to small
|
|
(or before checking).
|
|
|
|
Additionally, ieee802_1x_mka_dump_peer_body() might perform out of bound
|
|
reads in this case.
|
|
|
|
Fix this by checking left_len and aborting if too small early.
|
|
|
|
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
|
|
---
|
|
src/pae/ieee802_1x_kay.c | 23 ++++++++++++-----------
|
|
1 file changed, 12 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
|
|
index c4bfcbc..cad0292 100644
|
|
--- a/src/pae/ieee802_1x_kay.c
|
|
+++ b/src/pae/ieee802_1x_kay.c
|
|
@@ -964,21 +964,19 @@ ieee802_1x_mka_i_in_peerlist(struct ieee802_1x_mka_participant *participant,
|
|
body_len = get_mka_param_body_len(hdr);
|
|
body_type = get_mka_param_body_type(hdr);
|
|
|
|
- if (body_type != MKA_LIVE_PEER_LIST &&
|
|
- body_type != MKA_POTENTIAL_PEER_LIST)
|
|
- continue;
|
|
-
|
|
- ieee802_1x_mka_dump_peer_body(
|
|
- (struct ieee802_1x_mka_peer_body *)pos);
|
|
-
|
|
- if (left_len < (MKA_HDR_LEN + body_len + DEFAULT_ICV_LEN)) {
|
|
+ if (left_len < (MKA_HDR_LEN + MKA_ALIGN_LENGTH(body_len) + DEFAULT_ICV_LEN)) {
|
|
wpa_printf(MSG_ERROR,
|
|
"KaY: MKA Peer Packet Body Length (%zu bytes) is less than the Parameter Set Header Length (%zu bytes) + the Parameter Set Body Length (%zu bytes) + %d bytes of ICV",
|
|
left_len, MKA_HDR_LEN,
|
|
- body_len, DEFAULT_ICV_LEN);
|
|
- continue;
|
|
+ MKA_ALIGN_LENGTH(body_len),
|
|
+ DEFAULT_ICV_LEN);
|
|
+ return FALSE;
|
|
}
|
|
|
|
+ if (body_type != MKA_LIVE_PEER_LIST &&
|
|
+ body_type != MKA_POTENTIAL_PEER_LIST)
|
|
+ continue;
|
|
+
|
|
if ((body_len % 16) != 0) {
|
|
wpa_printf(MSG_ERROR,
|
|
"KaY: MKA Peer Packet Body Length (%zu bytes) should be a multiple of 16 octets",
|
|
@@ -986,6 +984,9 @@ ieee802_1x_mka_i_in_peerlist(struct ieee802_1x_mka_participant *participant,
|
|
continue;
|
|
}
|
|
|
|
+ ieee802_1x_mka_dump_peer_body(
|
|
+ (struct ieee802_1x_mka_peer_body *)pos);
|
|
+
|
|
for (i = 0; i < body_len;
|
|
i += sizeof(struct ieee802_1x_mka_peer_id)) {
|
|
const struct ieee802_1x_mka_peer_id *peer_mi;
|
|
@@ -3018,7 +3019,7 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
|
|
"KaY: MKA Peer Packet Body Length (%zu bytes) is less than the Parameter Set Header Length (%zu bytes) + the Parameter Set Body Length (%zu bytes) + %d bytes of ICV",
|
|
left_len, MKA_HDR_LEN,
|
|
body_len, DEFAULT_ICV_LEN);
|
|
- continue;
|
|
+ return -1;
|
|
}
|
|
|
|
if (handled[body_type])
|
|
--
|
|
cgit v0.12
|
|
|