openwrt/package/network/services/hostapd/patches/065-0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch

From fe76f487e28bdc61940f304f153a954cf36935ea Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Wed, 17 Apr 2019 01:55:32 +0300
Subject: [PATCH 1/3] EAP-pwd server: Fix reassembly buffer handling

data->inbuf allocation might fail and if that were to happen, the next
fragment in the exchange could have resulted in NULL pointer
dereference. Unexpected fragment with more bit might also be able to
trigger this. Fix that by explicitly checking for data->inbuf to be
available before using it.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
 src/eap_server/eap_server_pwd.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -947,6 +947,12 @@ static void eap_pwd_process(struct eap_s
 	 * the first and all intermediate fragments have the M bit set
 	 */
 	if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
+		if (!data->inbuf) {
+			wpa_printf(MSG_DEBUG,
+				   "EAP-pwd: No buffer for reassembly");
+			eap_pwd_state(data, FAILURE);
+			return;
+		}
 		if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
 			wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
 				   "attack detected! (%d+%d > %d)",
@@ -967,7 +973,7 @@ static void eap_pwd_process(struct eap_s
 	 * last fragment won't have the M bit set (but we're obviously
 	 * buffering fragments so that's how we know it's the last)
 	 */
-	if (data->in_frag_pos) {
+	if (data->in_frag_pos && data->inbuf) {
 		pos = wpabuf_head_u8(data->inbuf);
 		len = data->in_frag_pos;
 		wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
hostapd: Fix security problem in EAP-pwd This fixes: CVE-2019-11555 "EAP-pwd message reassembly issue with unexpected fragment" https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt This should not affect OpenWrt in the default settings as we do not use EAP-pwd. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 9f34bf51d60a237696b1d4cc9b5f4835b95e7ea2) 2019-09-08 21:27:04 +00:00			`From fe76f487e28bdc61940f304f153a954cf36935ea Mon Sep 17 00:00:00 2001`
			`From: Jouni Malinen <jouni@codeaurora.org>`
			`Date: Wed, 17 Apr 2019 01:55:32 +0300`
			`Subject: [PATCH 1/3] EAP-pwd server: Fix reassembly buffer handling`

			`data->inbuf allocation might fail and if that were to happen, the next`
			`fragment in the exchange could have resulted in NULL pointer`
			`dereference. Unexpected fragment with more bit might also be able to`
			`trigger this. Fix that by explicitly checking for data->inbuf to be`
			`available before using it.`

			`Signed-off-by: Jouni Malinen <jouni@codeaurora.org>`
			`---`
			`src/eap_server/eap_server_pwd.c \| 8 +++++++-`
			`1 file changed, 7 insertions(+), 1 deletion(-)`

			`--- a/src/eap_server/eap_server_pwd.c`
			`+++ b/src/eap_server/eap_server_pwd.c`
			`@@ -947,6 +947,12 @@ static void eap_pwd_process(struct eap_s`
			`* the first and all intermediate fragments have the M bit set`
			`*/`
			`if (EAP_PWD_GET_MORE_BIT(lm_exch) \|\| data->in_frag_pos) {`
			`+ if (!data->inbuf) {`
			`+ wpa_printf(MSG_DEBUG,`
			`+ "EAP-pwd: No buffer for reassembly");`
			`+ eap_pwd_state(data, FAILURE);`
			`+ return;`
			`+ }`
			`if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {`
			`wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "`
			`"attack detected! (%d+%d > %d)",`
			`@@ -967,7 +973,7 @@ static void eap_pwd_process(struct eap_s`
			`* last fragment won't have the M bit set (but we're obviously`
			`* buffering fragments so that's how we know it's the last)`
			`*/`
			`- if (data->in_frag_pos) {`
			`+ if (data->in_frag_pos && data->inbuf) {`
			`pos = wpabuf_head_u8(data->inbuf);`
			`len = data->in_frag_pos;`
			`wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",`