Package: wpasupplicant Version: 2.3-2.3 Severity: wishlist Tags: patch Dear Maintainer,
please package the new upstream version (2.5). A patch that updates the debian folder accordingly is attached. With best regards, Julian Wollrath -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.3.0 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages wpasupplicant depends on: ii adduser 3.113+nmu3 ii libc6 2.21-1 ii libdbus-1-3 1.10.6-1 ii libnl-3-200 3.2.26-1 ii libnl-genl-3-200 3.2.26-1 ii libpcsclite1 1.8.14-1 ii libreadline6 6.3-8+b3 ii libssl1.0.0 1.0.2d-1 ii lsb-base 9.20150917 wpasupplicant recommends no packages. Versions of packages wpasupplicant suggests: pn libengine-pkcs11-openssl <none> pn wpagui <none> -- no debconf information
diff -upNr wpa-2.3/debian/changelog wpa-2.5/debian/changelog --- wpa-2.3/debian/changelog 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/changelog 2015-12-02 15:31:56.997591294 +0100 @@ -1,3 +1,44 @@ +wpa (2.5-0.1) unstable; urgency=medium + + * Non-maintainer upload. + * New upstream release: + - Unfuzz patches. + - Drop patches included upstream: + + hostapd_fix-hostapd-operation-without-hw_mode-driver-data.patch + + include-ieee802_11_common.c-in-wpa_supplicant-build-.patch + + wpa_supplicant-MACsec-fix-build-failure-for-IEEE8021.patch + + wpasupplicant_band_selection*.patch + + wpasupplicant_fix-systemd-unit-dependencies.patch + - Fixes security vulnerabilities (Closes: #787371): + + CVE-2015-1863 + + CVE-2015-4141 + + CVE-2015-4142 + + CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146 + + http://w1.fi/security/2015-5/ + + -- Julian Wollrath <jwollr...@web.de> Sat, 24 Oct 2015 16:14:35 +0200 + +wpa (2.3-3) unstable; urgency=medium + + * wpasupplicant: install systemd unit (Closes: #766746). + * wpasupplicant: configure driver fallback for networkd. + * import changelogs from the security queues. + * import upstream security fixes for wpa (no CVEs yet): + - WPS UPnP vulnerability with HTTP chunked transfer encoding (2015-2) + + WPS: Fix HTTP chunked transfer encoding parser + - Integer underflow in AP mode WMM Action frame processing (2015-3) + + AP WMM: Fix integer underflow in WMM Action frame parser + - EAP-pwd missing payload length validation (2015-4) + + EAP-pwd peer: Fix payload length validation for Commit and Confirm + + EAP-pwd server: Fix payload length validation for Commit and Confirm + + EAP-pwd peer: Fix Total-Length parsing for fragment reassembly + + EAP-pwd server: Fix Total-Length parsing for fragment reassembly + + EAP-pwd peer: Fix asymmetric fragmentation behavior + * move previous patch for CVE-2015-1863 into a new subdirectory, + debian/patches/2015-1/ and add the upstream advisory. + + -- Stefan Lippers-Hollmann <s....@gmx.de> Fri, 08 May 2015 00:50:57 +0200 + wpa (2.3-2.3) unstable; urgency=high * Non-maintainer upload. @@ -56,6 +97,13 @@ wpa (2.3-2) unstable; urgency=high -- Stefan Lippers-Hollmann <s....@gmx.de> Thu, 23 Apr 2015 05:02:21 +0200 +wpa (2.3-1+deb8u1) jessie-security; urgency=high + + * import "P2P: Validate SSID element length before copying it + (CVE-2015-1863)" from upstream (Closes: #783148). + + -- Stefan Lippers-Hollmann <s....@gmx.de> Thu, 23 Apr 2015 19:32:29 +0200 + wpa (2.3-1) unstable; urgency=medium * New upstream release: @@ -189,6 +237,24 @@ wpa (1.0-3.1) unstable; urgency=low -- Daniel Kahn Gillmor <d...@fifthhorseman.net> Thu, 05 Dec 2013 13:56:15 -0500 +wpa (1.0-3+deb7u2) wheezy-security; urgency=high + + * import "P2P: Validate SSID element length before copying it + (CVE-2015-1863)" from upstream (Closes: #783148); this is essentially a + no-op for the wheezy binaries distributed by Debian, as CONFIG_P2P is + disabled there. + + -- Stefan Lippers-Hollmann <s....@gmx.de> Thu, 23 Apr 2015 19:56:11 +0200 + +wpa (1.0-3+deb7u1) wheezy-security; urgency=high + + * Apply upstream patches for CVE-2014-3686 (Closes: #765352): + - add os_exec() helper to run external programs + - wpa_cli: Use os_exec() for action script execution + - hostapd_cli: Use os_exec() for action script execution + + -- Stefan Lippers-Hollmann <s....@gmx.de> Wed, 15 Oct 2014 23:32:54 +0200 + wpa (1.0-3) unstable; urgency=high * ship forgotten README-P2P. diff -upNr wpa-2.3/debian/patches/01_use_pkg-config_for_pcsc-lite_module.patch wpa-2.5/debian/patches/01_use_pkg-config_for_pcsc-lite_module.patch --- wpa-2.3/debian/patches/01_use_pkg-config_for_pcsc-lite_module.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/01_use_pkg-config_for_pcsc-lite_module.patch 2015-10-24 16:14:41.000000000 +0200 @@ -5,7 +5,7 @@ Author: Reinhard Tartler <siretart@tauwa --- --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile -@@ -882,7 +882,7 @@ ifdef CONFIG_NATIVE_WINDOWS +@@ -933,7 +933,7 @@ ifdef CONFIG_NATIVE_WINDOWS #dynamic symbol loading that is now used in pcsc_funcs.c #LIBS += -lwinscard else diff -upNr wpa-2.3/debian/patches/07_dbus_service_syslog.patch wpa-2.5/debian/patches/07_dbus_service_syslog.patch --- wpa-2.3/debian/patches/07_dbus_service_syslog.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/07_dbus_service_syslog.patch 2015-10-24 16:14:41.000000000 +0200 @@ -24,7 +24,7 @@ Author: Kel Modderman <k...@otaku42.de> SystemdService=wpa_supplicant.service --- a/wpa_supplicant/systemd/wpa_supplicant.service.in +++ b/wpa_supplicant/systemd/wpa_supplicant.service.in -@@ -4,7 +4,7 @@ Description=WPA supplicant +@@ -6,7 +6,7 @@ Description=WPA supplicant [Service] Type=dbus BusName=fi.epitest.hostap.WPASupplicant diff -upNr wpa-2.3/debian/patches/12_wpa_gui_knotify_support.patch wpa-2.5/debian/patches/12_wpa_gui_knotify_support.patch --- wpa-2.3/debian/patches/12_wpa_gui_knotify_support.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/12_wpa_gui_knotify_support.patch 2015-10-24 16:14:41.000000000 +0200 @@ -19,24 +19,24 @@ Bug-Debian: http://bugs.debian.org/58279 #include "wpagui.h" #include "dirent.h" -@@ -1329,10 +1332,21 @@ void WpaGui::createTrayIcon(bool trayOnl +@@ -1415,10 +1415,21 @@ void WpaGui::createTrayIcon(bool trayOnl void WpaGui::showTrayMessage(QSystemTrayIcon::MessageIcon type, int sec, const QString & msg) { - if (!QSystemTrayIcon::supportsMessages()) -+ if (isVisible() || !tray_icon || !tray_icon->isVisible()) ++ if (isVisible() || !tray_icon || !tray_icon->isVisible() || quietMode) return; -- if (isVisible() || !tray_icon || !tray_icon->isVisible()) +- if (isVisible() || !tray_icon || !tray_icon->isVisible() || quietMode) + /* first try to use KDE's notifications system if running under + * a KDE session */ -+ if (getenv("KDE_FULL_SESSION") != NULL) { ++ if (getenv("KDE_FULL_SESSION") != NULL) { + QStringList args; + args << "--passivepopup" << msg << QString::number(sec); + args << "--title" << "wpa_gui"; -+ ++ + if (QProcess::execute("/usr/bin/kdialog", args) == 0) -+ return; ++ return; + } + + if (!QSystemTrayIcon::supportsMessages()) diff -upNr wpa-2.3/debian/patches/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch wpa-2.5/debian/patches/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch --- wpa-2.3/debian/patches/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,49 +0,0 @@ -From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Tue, 28 Apr 2015 17:08:33 +0300 -Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser - -strtoul() return value may end up overflowing the int h->chunk_size and -resulting in a negative value to be stored as the chunk_size. This could -result in the following memcpy operation using a very large length -argument which would result in a buffer overflow and segmentation fault. - -This could have been used to cause a denial service by any device that -has been authorized for network access (either wireless or wired). This -would affect both the WPS UPnP functionality in a WPS AP (hostapd with -upnp_iface parameter set in the configuration) and WPS ER -(wpa_supplicant with WPS_ER_START control interface command used). - -Validate the parsed chunk length value to avoid this. In addition to -rejecting negative values, we can also reject chunk size that would be -larger than the maximum configured body length. - -Thanks to Kostya Kortchinsky of Google security team for discovering and -reporting this issue. - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- - src/wps/httpread.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/wps/httpread.c b/src/wps/httpread.c -index 2f08f37..d2855e3 100644 ---- a/src/wps/httpread.c -+++ b/src/wps/httpread.c -@@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx) - if (!isxdigit(*cbp)) - goto bad; - h->chunk_size = strtoul(cbp, NULL, 16); -+ if (h->chunk_size < 0 || -+ h->chunk_size > h->max_bytes) { -+ wpa_printf(MSG_DEBUG, -+ "httpread: Invalid chunk size %d", -+ h->chunk_size); -+ goto bad; -+ } - /* throw away chunk header - * so we have only real data - */ --- -1.9.1 - diff -upNr wpa-2.3/debian/patches/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch wpa-2.5/debian/patches/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch --- wpa-2.3/debian/patches/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,41 +0,0 @@ -From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Wed, 29 Apr 2015 02:21:53 +0300 -Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser - -The length of the WMM Action frame was not properly validated and the -length of the information elements (int left) could end up being -negative. This would result in reading significantly past the stack -buffer while parsing the IEs in ieee802_11_parse_elems() and while doing -so, resulting in segmentation fault. - -This can result in an invalid frame being used for a denial of service -attack (hostapd process killed) against an AP with a driver that uses -hostapd for management frame processing (e.g., all mac80211-based -drivers). - -Thanks to Kostya Kortchinsky of Google security team for discovering and -reporting this issue. - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- - src/ap/wmm.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/ap/wmm.c b/src/ap/wmm.c -index 6d4177c..314e244 100644 ---- a/src/ap/wmm.c -+++ b/src/ap/wmm.c -@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd, - return; - } - -+ if (left < 0) -+ return; /* not a valid WMM Action frame */ -+ - /* extract the tspec info element */ - if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) { - hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, --- -1.9.1 - diff -upNr wpa-2.3/debian/patches/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch wpa-2.5/debian/patches/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch --- wpa-2.3/debian/patches/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,73 +0,0 @@ -From dd2f043c9c43d156494e33d7ce22db96e6ef42c7 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Fri, 1 May 2015 16:37:45 +0300 -Subject: [PATCH 1/5] EAP-pwd peer: Fix payload length validation for Commit - and Confirm - -The length of the received Commit and Confirm message payloads was not -checked before reading them. This could result in a buffer read -overflow when processing an invalid message. - -Fix this by verifying that the payload is of expected length before -processing it. In addition, enforce correct state transition sequence to -make sure there is no unexpected behavior if receiving a Commit/Confirm -message before the previous exchanges have been completed. - -Thanks to Kostya Kortchinsky of Google security team for discovering and -reporting this issue. - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- - src/eap_peer/eap_pwd.c | 29 +++++++++++++++++++++++++++++ - 1 file changed, 29 insertions(+) - -diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c -index f2b0926..a629437 100644 ---- a/src/eap_peer/eap_pwd.c -+++ b/src/eap_peer/eap_pwd.c -@@ -355,6 +355,23 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, - BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL; - u16 offset; - u8 *ptr, *scalar = NULL, *element = NULL; -+ size_t prime_len, order_len; -+ -+ if (data->state != PWD_Commit_Req) { -+ ret->ignore = TRUE; -+ goto fin; -+ } -+ -+ prime_len = BN_num_bytes(data->grp->prime); -+ order_len = BN_num_bytes(data->grp->order); -+ -+ if (payload_len != 2 * prime_len + order_len) { -+ wpa_printf(MSG_INFO, -+ "EAP-pwd: Unexpected Commit payload length %u (expected %u)", -+ (unsigned int) payload_len, -+ (unsigned int) (2 * prime_len + order_len)); -+ goto fin; -+ } - - if (((data->private_value = BN_new()) == NULL) || - ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) || -@@ -554,6 +571,18 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, - u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; - int offset; - -+ if (data->state != PWD_Confirm_Req) { -+ ret->ignore = TRUE; -+ goto fin; -+ } -+ -+ if (payload_len != SHA256_MAC_LEN) { -+ wpa_printf(MSG_INFO, -+ "EAP-pwd: Unexpected Confirm payload length %u (expected %u)", -+ (unsigned int) payload_len, SHA256_MAC_LEN); -+ goto fin; -+ } -+ - /* - * first build up the ciphersuite which is group | random_function | - * prf --- -1.9.1 - diff -upNr wpa-2.3/debian/patches/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch wpa-2.5/debian/patches/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch --- wpa-2.3/debian/patches/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,66 +0,0 @@ -From e28a58be26184c2a23f80b410e0997ef1bd5d578 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Fri, 1 May 2015 16:40:44 +0300 -Subject: [PATCH 2/5] EAP-pwd server: Fix payload length validation for Commit - and Confirm - -The length of the received Commit and Confirm message payloads was not -checked before reading them. This could result in a buffer read -overflow when processing an invalid message. - -Fix this by verifying that the payload is of expected length before -processing it. In addition, enforce correct state transition sequence to -make sure there is no unexpected behavior if receiving a Commit/Confirm -message before the previous exchanges have been completed. - -Thanks to Kostya Kortchinsky of Google security team for discovering and -reporting this issue. - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- - src/eap_server/eap_server_pwd.c | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c -index 66bd5d2..3189105 100644 ---- a/src/eap_server/eap_server_pwd.c -+++ b/src/eap_server/eap_server_pwd.c -@@ -656,9 +656,21 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, - BIGNUM *x = NULL, *y = NULL, *cofactor = NULL; - EC_POINT *K = NULL, *point = NULL; - int res = 0; -+ size_t prime_len, order_len; - - wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response"); - -+ prime_len = BN_num_bytes(data->grp->prime); -+ order_len = BN_num_bytes(data->grp->order); -+ -+ if (payload_len != 2 * prime_len + order_len) { -+ wpa_printf(MSG_INFO, -+ "EAP-pwd: Unexpected Commit payload length %u (expected %u)", -+ (unsigned int) payload_len, -+ (unsigned int) (2 * prime_len + order_len)); -+ goto fin; -+ } -+ - if (((data->peer_scalar = BN_new()) == NULL) || - ((data->k = BN_new()) == NULL) || - ((cofactor = BN_new()) == NULL) || -@@ -774,6 +786,13 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, - u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; - int offset; - -+ if (payload_len != SHA256_MAC_LEN) { -+ wpa_printf(MSG_INFO, -+ "EAP-pwd: Unexpected Confirm payload length %u (expected %u)", -+ (unsigned int) payload_len, SHA256_MAC_LEN); -+ goto fin; -+ } -+ - /* build up the ciphersuite: group | random_function | prf */ - grp = htons(data->group_num); - ptr = (u8 *) &cs; --- -1.9.1 - diff -upNr wpa-2.3/debian/patches/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch wpa-2.5/debian/patches/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch --- wpa-2.3/debian/patches/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,52 +0,0 @@ -From 477c74395acd0123340457ba6f15ab345d42016e Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Sat, 2 May 2015 19:23:04 +0300 -Subject: [PATCH 3/5] EAP-pwd peer: Fix Total-Length parsing for fragment - reassembly - -The remaining number of bytes in the message could be smaller than the -Total-Length field size, so the length needs to be explicitly checked -prior to reading the field and decrementing the len variable. This could -have resulted in the remaining length becoming negative and interpreted -as a huge positive integer. - -In addition, check that there is no already started fragment in progress -before allocating a new buffer for reassembling fragments. This avoid a -potential memory leak when processing invalid message. - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- - src/eap_peer/eap_pwd.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c -index a629437..1d2079b 100644 ---- a/src/eap_peer/eap_pwd.c -+++ b/src/eap_peer/eap_pwd.c -@@ -866,11 +866,23 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, - * if it's the first fragment there'll be a length field - */ - if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { -+ if (len < 2) { -+ wpa_printf(MSG_DEBUG, -+ "EAP-pwd: Frame too short to contain Total-Length field"); -+ ret->ignore = TRUE; -+ return NULL; -+ } - tot_len = WPA_GET_BE16(pos); - wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose " - "total length = %d", tot_len); - if (tot_len > 15000) - return NULL; -+ if (data->inbuf) { -+ wpa_printf(MSG_DEBUG, -+ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); -+ ret->ignore = TRUE; -+ return NULL; -+ } - data->inbuf = wpabuf_alloc(tot_len); - if (data->inbuf == NULL) { - wpa_printf(MSG_INFO, "Out of memory to buffer " --- -1.9.1 - diff -upNr wpa-2.3/debian/patches/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch wpa-2.5/debian/patches/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch --- wpa-2.3/debian/patches/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,50 +0,0 @@ -From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Sat, 2 May 2015 19:26:06 +0300 -Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment - reassembly - -The remaining number of bytes in the message could be smaller than the -Total-Length field size, so the length needs to be explicitly checked -prior to reading the field and decrementing the len variable. This could -have resulted in the remaining length becoming negative and interpreted -as a huge positive integer. - -In addition, check that there is no already started fragment in progress -before allocating a new buffer for reassembling fragments. This avoid a -potential memory leak when processing invalid message. - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- - src/eap_server/eap_server_pwd.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c -index 3189105..2bfc3c2 100644 ---- a/src/eap_server/eap_server_pwd.c -+++ b/src/eap_server/eap_server_pwd.c -@@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, - * the first fragment has a total length - */ - if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { -+ if (len < 2) { -+ wpa_printf(MSG_DEBUG, -+ "EAP-pwd: Frame too short to contain Total-Length field"); -+ return; -+ } - tot_len = WPA_GET_BE16(pos); - wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total " - "length = %d", tot_len); - if (tot_len > 15000) - return; -+ if (data->inbuf) { -+ wpa_printf(MSG_DEBUG, -+ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); -+ return; -+ } - data->inbuf = wpabuf_alloc(tot_len); - if (data->inbuf == NULL) { - wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to " --- -1.9.1 - diff -upNr wpa-2.3/debian/patches/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch wpa-2.5/debian/patches/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch --- wpa-2.3/debian/patches/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,32 +0,0 @@ -From 28a069a545b06b99eb55ad53f63f2c99e65a98f6 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Sat, 2 May 2015 19:26:28 +0300 -Subject: [PATCH 5/5] EAP-pwd peer: Fix asymmetric fragmentation behavior - -The L (Length) and M (More) flags needs to be cleared before deciding -whether the locally generated response requires fragmentation. This -fixes an issue where these flags from the server could have been invalid -for the following message. In some cases, this could have resulted in -triggering the wpabuf security check that would terminate the process -due to invalid buffer allocation. - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- - src/eap_peer/eap_pwd.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c -index 1d2079b..e58b13a 100644 ---- a/src/eap_peer/eap_pwd.c -+++ b/src/eap_peer/eap_pwd.c -@@ -968,6 +968,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, - /* - * we have output! Do we need to fragment it? - */ -+ lm_exch = EAP_PWD_GET_EXCHANGE(lm_exch); - len = wpabuf_len(data->outbuf); - if ((len + EAP_PWD_HDR_SIZE) > data->mtu) { - resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, data->mtu, --- -1.9.1 - diff -upNr wpa-2.3/debian/patches/2015-5/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch wpa-2.5/debian/patches/2015-5/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch --- wpa-2.3/debian/patches/2015-5/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/2015-5/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,56 +0,0 @@ -From df9079e72760ceb7ebe7fb11538200c516bdd886 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Tue, 7 Jul 2015 21:57:28 +0300 -Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser - -It was possible for the 32-bit record->total_length value to end up -wrapping around due to integer overflow if the longer form of payload -length field is used and record->payload_length gets a value close to -2^32. This could result in ndef_parse_record() accepting a too large -payload length value and the record type filter reading up to about 20 -bytes beyond the end of the buffer and potentially killing the process. -This could also result in an attempt to allocate close to 2^32 bytes of -heap memory and if that were to succeed, a buffer read overflow of the -same length which would most likely result in the process termination. -In case of record->total_length ending up getting the value 0, there -would be no buffer read overflow, but record parsing would result in an -infinite loop in ndef_parse_records(). - -Any of these error cases could potentially be used for denial of service -attacks over NFC by using a malformed NDEF record on an NFC Tag or -sending them during NFC connection handover if the application providing -the NDEF message to hostapd/wpa_supplicant did no validation of the -received records. While such validation is likely done in the NFC stack -that needs to parse the NFC messages before further processing, -hostapd/wpa_supplicant better be prepared for any data being included -here. - -Fix this by validating record->payload_length value in a way that -detects integer overflow. (CID 122668) - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- - src/wps/ndef.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/src/wps/ndef.c -+++ b/src/wps/ndef.c -@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *d - if (size < 6) - return -1; - record->payload_length = ntohl(*(u32 *)pos); -+ if (record->payload_length > size - 6) -+ return -1; - pos += sizeof(u32); - } - -@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *d - pos += record->payload_length; - - record->total_length = pos - data; -- if (record->total_length > size) -+ if (record->total_length > size || -+ record->total_length < record->payload_length) - return -1; - return 0; - } diff -upNr wpa-2.3/debian/patches/2015-6/backported-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch wpa-2.5/debian/patches/2015-6/backported-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch --- wpa-2.3/debian/patches/2015-6/backported-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/2015-6/backported-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,32 +0,0 @@ -From 6b12d93d2c7428a34bfd4b3813ba339ed57b698a Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Sun, 25 Oct 2015 15:45:50 +0200 -Subject: [PATCH] WNM: Ignore Key Data in WNM Sleep Mode Response frame if no - PMF in use - -WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is -enabled. Verify that PMF is in use before using this field on station -side to avoid accepting unauthenticated key updates. (CVE-2015-5310) - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- - wpa_supplicant/wnm_sta.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c -index 954de67..7d79499 100644 ---- a/wpa_supplicant/wnm_sta.c -+++ b/wpa_supplicant/wnm_sta.c -@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s, - end = ptr + key_len_total; - wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total); - -+ if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) { -+ wpa_msg(wpa_s, MSG_INFO, -+ "WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled"); -+ return; -+ } -+ - while (ptr + 1 < end) { - if (ptr + 2 + ptr[1] > end) { - wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element " diff -upNr wpa-2.3/debian/patches/2015-7/0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch wpa-2.5/debian/patches/2015-7/0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch --- wpa-2.3/debian/patches/2015-7/0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/2015-7/0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,54 +0,0 @@ -From 8057821706784608b828e769ccefbced95591e50 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Sun, 1 Nov 2015 18:18:17 +0200 -Subject: [PATCH] EAP-pwd peer: Fix last fragment length validation - -All but the last fragment had their length checked against the remaining -room in the reassembly buffer. This allowed a suitably constructed last -fragment frame to try to add extra data that would go beyond the buffer. -The length validation code in wpabuf_put_data() prevents an actual -buffer write overflow from occurring, but this results in process -termination. (CVE-2015-5315) - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- - src/eap_peer/eap_pwd.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c -index 1f78544..75ceef1 100644 ---- a/src/eap_peer/eap_pwd.c -+++ b/src/eap_peer/eap_pwd.c -@@ -903,7 +903,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, - /* - * buffer and ACK the fragment - */ -- if (EAP_PWD_GET_MORE_BIT(lm_exch)) { -+ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) { - data->in_frag_pos += len; - if (data->in_frag_pos > wpabuf_size(data->inbuf)) { - wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack " -@@ -916,7 +916,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, - return NULL; - } - wpabuf_put_data(data->inbuf, pos, len); -- -+ } -+ if (EAP_PWD_GET_MORE_BIT(lm_exch)) { - resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, - EAP_PWD_HDR_SIZE, - EAP_CODE_RESPONSE, eap_get_id(reqData)); -@@ -930,10 +931,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, - * we're buffering and this is the last fragment - */ - if (data->in_frag_pos) { -- wpabuf_put_data(data->inbuf, pos, len); - wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes", - (int) len); -- data->in_frag_pos += len; - pos = wpabuf_head_u8(data->inbuf); - len = data->in_frag_pos; - } --- -1.9.1 - diff -upNr wpa-2.3/debian/patches/2015-7/0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch wpa-2.5/debian/patches/2015-7/0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch --- wpa-2.3/debian/patches/2015-7/0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/2015-7/0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,51 +0,0 @@ -From bef802ece03f9ae9d52a21f0cf4f1bc2c5a1f8aa Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Sun, 1 Nov 2015 18:24:16 +0200 -Subject: [PATCH] EAP-pwd server: Fix last fragment length validation - -All but the last fragment had their length checked against the remaining -room in the reassembly buffer. This allowed a suitably constructed last -fragment frame to try to add extra data that would go beyond the buffer. -The length validation code in wpabuf_put_data() prevents an actual -buffer write overflow from occurring, but this results in process -termination. (CVE-2015-5314) - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- - src/eap_server/eap_server_pwd.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c -index cb83ff7..9f787ab 100644 ---- a/src/eap_server/eap_server_pwd.c -+++ b/src/eap_server/eap_server_pwd.c -@@ -970,7 +970,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, - /* - * the first and all intermediate fragments have the M bit set - */ -- if (EAP_PWD_GET_MORE_BIT(lm_exch)) { -+ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) { - if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) { - wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow " - "attack detected! (%d+%d > %d)", -@@ -981,6 +981,8 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, - } - wpabuf_put_data(data->inbuf, pos, len); - data->in_frag_pos += len; -+ } -+ if (EAP_PWD_GET_MORE_BIT(lm_exch)) { - wpa_printf(MSG_DEBUG, "EAP-pwd: Got a %d byte fragment", - (int) len); - return; -@@ -990,8 +992,6 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, - * buffering fragments so that's how we know it's the last) - */ - if (data->in_frag_pos) { -- wpabuf_put_data(data->inbuf, pos, len); -- data->in_frag_pos += len; - pos = wpabuf_head_u8(data->inbuf); - len = data->in_frag_pos; - wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes", --- -1.9.1 - diff -upNr wpa-2.3/debian/patches/2015-8/0001-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch wpa-2.5/debian/patches/2015-8/0001-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch --- wpa-2.3/debian/patches/2015-8/0001-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/2015-8/0001-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,34 +0,0 @@ -From 95577884ca4fa76be91344ff7a8d5d1e6dc3da61 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Sun, 1 Nov 2015 19:35:44 +0200 -Subject: [PATCH] EAP-pwd peer: Fix error path for unexpected Confirm message - -If the Confirm message is received from the server before the Identity -exchange has been completed, the group has not yet been determined and -data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange() -did not take this corner case into account and could end up -dereferencing a NULL pointer and terminating the process if invalid -message sequence is received. (CVE-2015-5316) - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- - src/eap_peer/eap_pwd.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c -index 75ceef1..892b590 100644 ---- a/src/eap_peer/eap_pwd.c -+++ b/src/eap_peer/eap_pwd.c -@@ -774,7 +774,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, - wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN); - - fin: -- bin_clear_free(cruft, BN_num_bytes(data->grp->prime)); -+ if (data->grp) -+ bin_clear_free(cruft, BN_num_bytes(data->grp->prime)); - BN_clear_free(x); - BN_clear_free(y); - if (data->outbuf == NULL) { --- -1.9.1 - diff -upNr wpa-2.3/debian/patches/hostapd_fix-hostapd-operation-without-hw_mode-driver-data.patch wpa-2.5/debian/patches/hostapd_fix-hostapd-operation-without-hw_mode-driver-data.patch --- wpa-2.3/debian/patches/hostapd_fix-hostapd-operation-without-hw_mode-driver-data.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/hostapd_fix-hostapd-operation-without-hw_mode-driver-data.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,27 +0,0 @@ -From e9b783d58c23a7bb50b2f25bce7157f1f3b5d58b Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Sun, 16 Nov 2014 23:08:04 +0000 -Subject: Fix hostapd operation without hw_mode driver data - -Commit 7f0303d5b0bb425f3e7318a7016b55ba9e67f9de ('hostapd: Verify VHT -160/80+80 MHz driver support') added couple of hapd->iface->current_mode -dereferences of which the one in hostapd_set_freq() can be hit with some -configuration files when using driver wrappers that do not have hw_mode -data, i.e., when current_mode is NULL. This could result in segmentation -fault when trying to use driver=wired. Fix this by checking that -current_mode is not NULL before dereferencing it to get vht_capab. - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- ---- a/src/ap/ap_drv_ops.c -+++ b/src/ap/ap_drv_ops.c -@@ -573,7 +573,8 @@ int hostapd_set_freq(struct hostapd_data - vht_enabled, sec_channel_offset, - vht_oper_chwidth, - center_segment0, center_segment1, -- hapd->iface->current_mode->vht_capab)) -+ hapd->iface->current_mode ? -+ hapd->iface->current_mode->vht_capab : 0)) - return -1; - - if (hapd->driver == NULL) diff -upNr wpa-2.3/debian/patches/include-ieee802_11_common.c-in-wpa_supplicant-build-.patch wpa-2.5/debian/patches/include-ieee802_11_common.c-in-wpa_supplicant-build-.patch --- wpa-2.3/debian/patches/include-ieee802_11_common.c-in-wpa_supplicant-build-.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/include-ieee802_11_common.c-in-wpa_supplicant-build-.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,117 +0,0 @@ -From 2d4e9c2eb811978a4097b7d249eca3c7e9c510e5 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j...@w1.fi> -Date: Sun, 12 Oct 2014 17:03:25 +0300 -Subject: [PATCH] Include ieee802_11_common.c in wpa_supplicant build - unconditionally - -This is needed for number of items and it was possible to make a build -configuration that did not include ieee802_11_common.c while still -trying to use functions from there. While it would be possible to add -NEED_80211_COMMON=y to all the cases where this file is needed, the -extra complexity from this is not really justifiable anymore, so include -the file unconditionally. - -Signed-off-by: Jouni Malinen <j...@w1.fi> ---- - wpa_supplicant/Android.mk | 7 ------- - wpa_supplicant/Makefile | 7 ------- - 2 files changed, 14 deletions(-) - ---- a/wpa_supplicant/Android.mk -+++ b/wpa_supplicant/Android.mk -@@ -193,7 +193,6 @@ endif - ifdef CONFIG_IEEE80211R - L_CFLAGS += -DCONFIG_IEEE80211R - OBJS += src/rsn_supp/wpa_ft.c --NEED_80211_COMMON=y - NEED_SHA256=y - NEED_AES_OMAC1=y - endif -@@ -263,7 +262,6 @@ OBJS += src/utils/bitfield.c - L_CFLAGS += -DCONFIG_P2P - NEED_GAS=y - NEED_OFFCHANNEL=y --NEED_80211_COMMON=y - CONFIG_WPS=y - CONFIG_AP=y - ifdef CONFIG_P2P_STRICT -@@ -635,7 +633,6 @@ CONFIG_IEEE8021X_EAPOL=y - NEED_DH_GROUPS=y - NEED_SHA256=y - NEED_BASE64=y --NEED_80211_COMMON=y - NEED_AES_CBC=y - NEED_MODEXP=y - -@@ -744,7 +741,6 @@ endif - endif - - ifdef CONFIG_AP --NEED_80211_COMMON=y - NEED_EAP_COMMON=y - NEED_RSN_AUTHENTICATOR=y - L_CFLAGS += -DCONFIG_AP -@@ -1368,14 +1364,11 @@ OBJS += src/utils/base64.c - endif - - ifdef NEED_SME --NEED_80211_COMMON=y - OBJS += sme.c - L_CFLAGS += -DCONFIG_SME - endif - --ifdef NEED_80211_COMMON - OBJS += src/common/ieee802_11_common.c --endif - - ifdef NEED_EAP_COMMON - OBJS += src/eap_common/eap_common.c ---- a/wpa_supplicant/Makefile -+++ b/wpa_supplicant/Makefile -@@ -194,7 +194,6 @@ endif - ifdef CONFIG_IEEE80211R - CFLAGS += -DCONFIG_IEEE80211R - OBJS += ../src/rsn_supp/wpa_ft.o --NEED_80211_COMMON=y - NEED_SHA256=y - NEED_AES_OMAC1=y - endif -@@ -264,7 +263,6 @@ OBJS += ../src/utils/bitfield.o - CFLAGS += -DCONFIG_P2P - NEED_GAS=y - NEED_OFFCHANNEL=y --NEED_80211_COMMON=y - CONFIG_WPS=y - CONFIG_AP=y - ifdef CONFIG_P2P_STRICT -@@ -635,7 +633,6 @@ CONFIG_IEEE8021X_EAPOL=y - NEED_DH_GROUPS=y - NEED_SHA256=y - NEED_BASE64=y --NEED_80211_COMMON=y - NEED_AES_CBC=y - NEED_MODEXP=y - -@@ -757,7 +754,6 @@ OBJS += ../src/pae/ieee802_1x_secy_ops.o - endif - - ifdef CONFIG_AP --NEED_80211_COMMON=y - NEED_EAP_COMMON=y - NEED_RSN_AUTHENTICATOR=y - CFLAGS += -DCONFIG_AP -@@ -1386,14 +1382,11 @@ OBJS += ../src/utils/base64.o - endif - - ifdef NEED_SME --NEED_80211_COMMON=y - OBJS += sme.o - CFLAGS += -DCONFIG_SME - endif - --ifdef NEED_80211_COMMON - OBJS += ../src/common/ieee802_11_common.o --endif - - ifdef NEED_EAP_COMMON - OBJS += ../src/eap_common/eap_common.o diff -upNr wpa-2.3/debian/patches/networkd-driver-fallback.patch wpa-2.5/debian/patches/networkd-driver-fallback.patch --- wpa-2.3/debian/patches/networkd-driver-fallback.patch 1970-01-01 01:00:00.000000000 +0100 +++ wpa-2.5/debian/patches/networkd-driver-fallback.patch 2015-10-24 16:14:41.000000000 +0200 @@ -0,0 +1,15 @@ +wpasupplicant: configure driver fallback for networkd + +Signed-off-by: Stefan Lippers-Hollmann <s....@gmx.de> + +--- a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in ++++ b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in +@@ -9,7 +9,7 @@ After=sys-subsystem-net-devices-%i.devic + + [Service] + Type=simple +-ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I ++ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -Dnl80211,wext -i%I + + [Install] + Alias=multi-user.target.wants/wpa_supplicant@%i.service diff -upNr wpa-2.3/debian/patches/series wpa-2.5/debian/patches/series --- wpa-2.3/debian/patches/series 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/series 2015-10-24 16:14:41.000000000 +0200 @@ -4,24 +4,4 @@ 07_dbus_service_syslog.patch 12_wpa_gui_knotify_support.patch wpa_gui_desktop_add-keywords-entry.patch -wpa_supplicant-MACsec-fix-build-failure-for-IEEE8021.patch -include-ieee802_11_common.c-in-wpa_supplicant-build-.patch -hostapd_fix-hostapd-operation-without-hw_mode-driver-data.patch -wpasupplicant_fix-systemd-unit-dependencies.patch -wpasupplicant_P2P-Validate-SSID-element-length-before-copying-it-C.patch -wpasupplicant_band_selection_f0d0a5d2.patch -wpasupplicant_band_selection_a1b790eb.patch -wpasupplicant_band_selection_8b2b718d.patch -wpasupplicant_band_selection_aa517ae2.patch -2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch -2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch -2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch -2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch -2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch -2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch -2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch -2015-5/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch -2015-6/backported-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch -2015-7/0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch -2015-7/0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch -2015-8/0001-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch +networkd-driver-fallback.patch diff -upNr wpa-2.3/debian/patches/wpasupplicant_band_selection_8b2b718d.patch wpa-2.5/debian/patches/wpasupplicant_band_selection_8b2b718d.patch --- wpa-2.3/debian/patches/wpasupplicant_band_selection_8b2b718d.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/wpasupplicant_band_selection_8b2b718d.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,25 +0,0 @@ -commit 8b2b718da9884d66684befe99d1fbdd9abe5fb5e -Author: Jouni Malinen <j...@w1.fi> -Date: Sat Feb 28 16:35:07 2015 +0200 - - Fix minor issue in HT40 max rate determination - - Commit a1b790eb9d7514d1a6e0582a07f695a1564caa59 ('Select AP based on - estimated maximum throughput') had a copy-paste bug than ended up - leaving one of the max_ht40_rate() cases unreachable. (CID 106087) - - Signed-off-by: Jouni Malinen <j...@w1.fi> - -Index: wpa-2.3/wpa_supplicant/scan.c -=================================================================== ---- wpa-2.3.orig/wpa_supplicant/scan.c -+++ wpa-2.3/wpa_supplicant/scan.c -@@ -1810,7 +1810,7 @@ static unsigned int max_ht40_rate(int sn - return 81000; /* HT40 MCS4 */ - if (snr < 22) - return 108000; /* HT40 MCS5 */ -- if (snr < 22) -+ if (snr < 24) - return 121500; /* HT40 MCS6 */ - return 135000; /* HT40 MCS7 */ - } diff -upNr wpa-2.3/debian/patches/wpasupplicant_band_selection_a1b790eb.patch wpa-2.5/debian/patches/wpasupplicant_band_selection_a1b790eb.patch --- wpa-2.3/debian/patches/wpasupplicant_band_selection_a1b790eb.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/wpasupplicant_band_selection_a1b790eb.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,369 +0,0 @@ -commit a1b790eb9d7514d1a6e0582a07f695a1564caa59 -Author: Jouni Malinen <j...@w1.fi> -Date: Sat Feb 21 22:53:42 2015 +0200 - - Select AP based on estimated maximum throughput - - This modifies the BSS selection routines to calculate SNR and estimated - throughput for each scan result and then use the estimated throughput as - a criteria for sorting the results. This extends the earlier design by - taking into account higher throughput rates if both the AP and local - device supports HT20, HT40, or VHT80. In addition, the maximum rate is - restricted based on SNR. - - In practice, this gives significantly higher probability of selecting - HT/VHT APs when there are multiple BSSes in the same ESS and SNR is not - low enough to prevent higher MCS use. - - Signed-off-by: Jouni Malinen <j...@w1.fi> - -Index: wpa-2.3/src/drivers/driver.h -=================================================================== ---- wpa-2.3.orig/src/drivers/driver.h -+++ wpa-2.3/src/drivers/driver.h -@@ -202,6 +202,9 @@ struct hostapd_hw_modes { - * @tsf: Timestamp - * @age: Age of the information in milliseconds (i.e., how many milliseconds - * ago the last Beacon or Probe Response frame was received) -+ * @est_throughput: Estimated throughput in kbps (this is calculated during -+ * scan result processing if left zero by the driver wrapper) -+ * @snr: Signal-to-noise ratio in dB (calculated during scan result processing) - * @ie_len: length of the following IE field in octets - * @beacon_ie_len: length of the following Beacon IE field in octets - * -@@ -225,6 +228,8 @@ struct wpa_scan_res { - int level; - u64 tsf; - unsigned int age; -+ unsigned int est_throughput; -+ int snr; - size_t ie_len; - size_t beacon_ie_len; - /* -Index: wpa-2.3/wpa_supplicant/scan.c -=================================================================== ---- wpa-2.3.orig/wpa_supplicant/scan.c -+++ wpa-2.3/wpa_supplicant/scan.c -@@ -1554,8 +1554,8 @@ static int wpa_scan_result_compar(const - struct wpa_scan_res **_wb = (void *) b; - struct wpa_scan_res *wa = *_wa; - struct wpa_scan_res *wb = *_wb; -- int wpa_a, wpa_b, maxrate_a, maxrate_b; -- int snr_a, snr_b; -+ int wpa_a, wpa_b; -+ int snr_a, snr_b, snr_a_full, snr_b_full; - - /* WPA/WPA2 support preferred */ - wpa_a = wpa_scan_get_vendor_ie(wa, WPA_IE_VENDOR_TYPE) != NULL || -@@ -1577,22 +1577,22 @@ static int wpa_scan_result_compar(const - return -1; - - if (wa->flags & wb->flags & WPA_SCAN_LEVEL_DBM) { -- snr_a = MIN(wa->level - wa->noise, GREAT_SNR); -- snr_b = MIN(wb->level - wb->noise, GREAT_SNR); -+ snr_a_full = wa->snr; -+ snr_a = MIN(wa->snr, GREAT_SNR); -+ snr_b_full = wb->snr; -+ snr_b = MIN(wa->snr, GREAT_SNR); - } else { - /* Level is not in dBm, so we can't calculate - * SNR. Just use raw level (units unknown). */ -- snr_a = wa->level; -- snr_b = wb->level; -+ snr_a = snr_a_full = wa->level; -+ snr_b = snr_b_full = wb->level; - } - - /* if SNR is close, decide by max rate or frequency band */ - if ((snr_a && snr_b && abs(snr_b - snr_a) < 5) || - (wa->qual && wb->qual && abs(wb->qual - wa->qual) < 10)) { -- maxrate_a = wpa_scan_get_max_rate(wa); -- maxrate_b = wpa_scan_get_max_rate(wb); -- if (maxrate_a != maxrate_b) -- return maxrate_b - maxrate_a; -+ if (wa->est_throughput != wb->est_throughput) -+ return wb->est_throughput - wa->est_throughput; - if (IS_5GHZ(wa->freq) ^ IS_5GHZ(wb->freq)) - return IS_5GHZ(wa->freq) ? -1 : 1; - } -@@ -1600,9 +1600,9 @@ static int wpa_scan_result_compar(const - /* all things being equal, use SNR; if SNRs are - * identical, use quality values since some drivers may only report - * that value and leave the signal level zero */ -- if (snr_b == snr_a) -+ if (snr_b_full == snr_a_full) - return wb->qual - wa->qual; -- return snr_b - snr_a; -+ return snr_b_full - snr_a_full; - #undef MIN - } - -@@ -1669,20 +1669,21 @@ static void dump_scan_res(struct wpa_sca - struct wpa_scan_res *r = scan_res->res[i]; - u8 *pos; - if (r->flags & WPA_SCAN_LEVEL_DBM) { -- int snr = r->level - r->noise; - int noise_valid = !(r->flags & WPA_SCAN_NOISE_INVALID); - - wpa_printf(MSG_EXCESSIVE, MACSTR " freq=%d qual=%d " -- "noise=%d%s level=%d snr=%d%s flags=0x%x age=%u", -+ "noise=%d%s level=%d snr=%d%s flags=0x%x age=%u est=%u", - MAC2STR(r->bssid), r->freq, r->qual, - r->noise, noise_valid ? "" : "~", r->level, -- snr, snr >= GREAT_SNR ? "*" : "", r->flags, -- r->age); -+ r->snr, r->snr >= GREAT_SNR ? "*" : "", -+ r->flags, -+ r->age, r->est_throughput); - } else { - wpa_printf(MSG_EXCESSIVE, MACSTR " freq=%d qual=%d " -- "noise=%d level=%d flags=0x%x age=%u", -+ "noise=%d level=%d flags=0x%x age=%u est=%u", - MAC2STR(r->bssid), r->freq, r->qual, -- r->noise, r->level, r->flags, r->age); -+ r->noise, r->level, r->flags, r->age, -+ r->est_throughput); - } - pos = (u8 *) (r + 1); - if (r->ie_len) -@@ -1757,6 +1758,180 @@ static void filter_scan_res(struct wpa_s - #define DEFAULT_NOISE_FLOOR_2GHZ (-89) - #define DEFAULT_NOISE_FLOOR_5GHZ (-92) - -+static void scan_snr(struct wpa_scan_res *res) -+{ -+ if (res->flags & WPA_SCAN_NOISE_INVALID) { -+ res->noise = IS_5GHZ(res->freq) ? -+ DEFAULT_NOISE_FLOOR_5GHZ : -+ DEFAULT_NOISE_FLOOR_2GHZ; -+ } -+ -+ if (res->flags & WPA_SCAN_LEVEL_DBM) { -+ res->snr = res->level - res->noise; -+ } else { -+ /* Level is not in dBm, so we can't calculate -+ * SNR. Just use raw level (units unknown). */ -+ res->snr = res->level; -+ } -+} -+ -+ -+static unsigned int max_ht20_rate(int snr) -+{ -+ if (snr < 6) -+ return 6500; /* HT20 MCS0 */ -+ if (snr < 8) -+ return 13000; /* HT20 MCS1 */ -+ if (snr < 13) -+ return 19500; /* HT20 MCS2 */ -+ if (snr < 17) -+ return 26000; /* HT20 MCS3 */ -+ if (snr < 20) -+ return 39000; /* HT20 MCS4 */ -+ if (snr < 23) -+ return 52000; /* HT20 MCS5 */ -+ if (snr < 24) -+ return 58500; /* HT20 MCS6 */ -+ return 65000; /* HT20 MCS7 */ -+} -+ -+ -+static unsigned int max_ht40_rate(int snr) -+{ -+ if (snr < 3) -+ return 13500; /* HT40 MCS0 */ -+ if (snr < 6) -+ return 27000; /* HT40 MCS1 */ -+ if (snr < 10) -+ return 40500; /* HT40 MCS2 */ -+ if (snr < 15) -+ return 54000; /* HT40 MCS3 */ -+ if (snr < 17) -+ return 81000; /* HT40 MCS4 */ -+ if (snr < 22) -+ return 108000; /* HT40 MCS5 */ -+ if (snr < 22) -+ return 121500; /* HT40 MCS6 */ -+ return 135000; /* HT40 MCS7 */ -+} -+ -+ -+static unsigned int max_vht80_rate(int snr) -+{ -+ if (snr < 1) -+ return 0; -+ if (snr < 2) -+ return 29300; /* VHT80 MCS0 */ -+ if (snr < 5) -+ return 58500; /* VHT80 MCS1 */ -+ if (snr < 9) -+ return 87800; /* VHT80 MCS2 */ -+ if (snr < 11) -+ return 117000; /* VHT80 MCS3 */ -+ if (snr < 15) -+ return 175500; /* VHT80 MCS4 */ -+ if (snr < 16) -+ return 234000; /* VHT80 MCS5 */ -+ if (snr < 18) -+ return 263300; /* VHT80 MCS6 */ -+ if (snr < 20) -+ return 292500; /* VHT80 MCS7 */ -+ if (snr < 22) -+ return 351000; /* VHT80 MCS8 */ -+ return 390000; /* VHT80 MCS9 */ -+} -+ -+ -+static void scan_est_throughput(struct wpa_supplicant *wpa_s, -+ struct wpa_scan_res *res) -+{ -+ enum local_hw_capab capab = wpa_s->hw_capab; -+ int rate; /* max legacy rate in 500 kb/s units */ -+ const u8 *ie; -+ unsigned int est, tmp; -+ int snr = res->snr; -+ -+ if (res->est_throughput) -+ return; -+ -+ /* Get maximum legacy rate */ -+ rate = wpa_scan_get_max_rate(res); -+ -+ /* Limit based on estimated SNR */ -+ if (rate > 1 * 2 && snr < 1) -+ rate = 1 * 2; -+ else if (rate > 2 * 2 && snr < 4) -+ rate = 2 * 2; -+ else if (rate > 6 * 2 && snr < 5) -+ rate = 6 * 2; -+ else if (rate > 9 * 2 && snr < 6) -+ rate = 9 * 2; -+ else if (rate > 12 * 2 && snr < 7) -+ rate = 12 * 2; -+ else if (rate > 18 * 2 && snr < 10) -+ rate = 18 * 2; -+ else if (rate > 24 * 2 && snr < 11) -+ rate = 24 * 2; -+ else if (rate > 36 * 2 && snr < 15) -+ rate = 36 * 2; -+ else if (rate > 48 * 2 && snr < 19) -+ rate = 48 * 2; -+ else if (rate > 54 * 2 && snr < 21) -+ rate = 54 * 2; -+ est = rate * 500; -+ -+ if (capab == CAPAB_HT || capab == CAPAB_HT40 || capab == CAPAB_VHT) { -+ ie = wpa_scan_get_ie(res, WLAN_EID_HT_CAP); -+ if (ie) { -+ tmp = max_ht20_rate(snr); -+ if (tmp > est) -+ est = tmp; -+ } -+ } -+ -+ if (capab == CAPAB_HT40 || capab == CAPAB_VHT) { -+ ie = wpa_scan_get_ie(res, WLAN_EID_HT_OPERATION); -+ if (ie && ie[1] >= 2 && -+ (ie[3] & HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK)) { -+ tmp = max_ht40_rate(snr); -+ if (tmp > est) -+ est = tmp; -+ } -+ } -+ -+ if (capab == CAPAB_VHT) { -+ /* Use +1 to assume VHT is always faster than HT */ -+ ie = wpa_scan_get_ie(res, WLAN_EID_VHT_CAP); -+ if (ie) { -+ tmp = max_ht20_rate(snr) + 1; -+ if (tmp > est) -+ est = tmp; -+ -+ ie = wpa_scan_get_ie(res, WLAN_EID_HT_OPERATION); -+ if (ie && ie[1] >= 2 && -+ (ie[3] & -+ HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK)) { -+ tmp = max_ht40_rate(snr) + 1; -+ if (tmp > est) -+ est = tmp; -+ } -+ -+ ie = wpa_scan_get_ie(res, WLAN_EID_VHT_OPERATION); -+ if (ie && ie[1] >= 1 && -+ (ie[2] & VHT_OPMODE_CHANNEL_WIDTH_MASK)) { -+ tmp = max_vht80_rate(snr) + 1; -+ if (tmp > est) -+ est = tmp; -+ } -+ } -+ } -+ -+ /* TODO: channel utilization and AP load (e.g., from AP Beacon) */ -+ -+ res->est_throughput = est; -+} -+ -+ - /** - * wpa_supplicant_get_scan_results - Get scan results - * @wpa_s: Pointer to wpa_supplicant data -@@ -1793,12 +1968,8 @@ wpa_supplicant_get_scan_results(struct w - for (i = 0; i < scan_res->num; i++) { - struct wpa_scan_res *scan_res_item = scan_res->res[i]; - -- if (scan_res_item->flags & WPA_SCAN_NOISE_INVALID) { -- scan_res_item->noise = -- IS_5GHZ(scan_res_item->freq) ? -- DEFAULT_NOISE_FLOOR_5GHZ : -- DEFAULT_NOISE_FLOOR_2GHZ; -- } -+ scan_snr(scan_res_item); -+ scan_est_throughput(wpa_s, scan_res_item); - } - - #ifdef CONFIG_WPS -Index: wpa-2.3/wpa_supplicant/wpa_supplicant.c -=================================================================== ---- wpa-2.3.orig/wpa_supplicant/wpa_supplicant.c -+++ wpa-2.3/wpa_supplicant/wpa_supplicant.c -@@ -3759,6 +3759,23 @@ static int wpa_supplicant_init_iface(str - wpa_s->hw.modes = wpa_drv_get_hw_feature_data(wpa_s, - &wpa_s->hw.num_modes, - &wpa_s->hw.flags); -+ if (wpa_s->hw.modes) { -+ u16 i; -+ -+ for (i = 0; i < wpa_s->hw.num_modes; i++) { -+ if (wpa_s->hw.modes[i].vht_capab) { -+ wpa_s->hw_capab = CAPAB_VHT; -+ break; -+ } -+ -+ if (wpa_s->hw.modes[i].ht_capab & -+ HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET) -+ wpa_s->hw_capab = CAPAB_HT40; -+ else if (wpa_s->hw.modes[i].ht_capab && -+ wpa_s->hw_capab == CAPAB_NO_HT_VHT) -+ wpa_s->hw_capab = CAPAB_HT; -+ } -+ } - - if (wpa_drv_get_capa(wpa_s, &capa) == 0) { - wpa_s->drv_capa_known = 1; -Index: wpa-2.3/wpa_supplicant/wpa_supplicant_i.h -=================================================================== ---- wpa-2.3.orig/wpa_supplicant/wpa_supplicant_i.h -+++ wpa-2.3/wpa_supplicant/wpa_supplicant_i.h -@@ -825,6 +825,12 @@ struct wpa_supplicant { - u16 num_modes; - u16 flags; - } hw; -+ enum local_hw_capab { -+ CAPAB_NO_HT_VHT, -+ CAPAB_HT, -+ CAPAB_HT40, -+ CAPAB_VHT, -+ } hw_capab; - #ifdef CONFIG_MACSEC - struct ieee802_1x_kay *kay; - #endif /* CONFIG_MACSEC */ diff -upNr wpa-2.3/debian/patches/wpasupplicant_band_selection_aa517ae2.patch wpa-2.5/debian/patches/wpasupplicant_band_selection_aa517ae2.patch --- wpa-2.3/debian/patches/wpasupplicant_band_selection_aa517ae2.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/wpasupplicant_band_selection_aa517ae2.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,26 +0,0 @@ -commit aa517ae22784aff08d3d9e38ad101b4b5c9828fb -Author: Hahn, Maital <mait...@ti.com> -Date: Wed Jul 8 13:13:11 2015 +0000 - - wpa_supplicant: Fix a typo in wpa_scan_result_compar() - - A typo in wpa_scan_result_compar() caused wrong scan results sorting - (and wrong roaming decision). This fixes a copy-paste regression - introduced by commit a1b790eb9d7514d1a6e0582a07f695a1564caa59 ('Select - AP based on estimated maximum throughput'). - - Signed-off-by: Maital Hahn <mait...@ti.com> - -Index: wpa-2.3/wpa_supplicant/scan.c -=================================================================== ---- wpa-2.3.orig/wpa_supplicant/scan.c -+++ wpa-2.3/wpa_supplicant/scan.c -@@ -1580,7 +1580,7 @@ static int wpa_scan_result_compar(const - snr_a_full = wa->snr; - snr_a = MIN(wa->snr, GREAT_SNR); - snr_b_full = wb->snr; -- snr_b = MIN(wa->snr, GREAT_SNR); -+ snr_b = MIN(wb->snr, GREAT_SNR); - } else { - /* Level is not in dBm, so we can't calculate - * SNR. Just use raw level (units unknown). */ diff -upNr wpa-2.3/debian/patches/wpasupplicant_band_selection_f0d0a5d2.patch wpa-2.5/debian/patches/wpasupplicant_band_selection_f0d0a5d2.patch --- wpa-2.3/debian/patches/wpasupplicant_band_selection_f0d0a5d2.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/wpasupplicant_band_selection_f0d0a5d2.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,158 +0,0 @@ -commit f0d0a5d23bd406a60358add9fa101b49dc9f9039 -Author: Mukesh Agrawal <qui...@chromium.org> -Date: Tue Apr 8 17:54:49 2014 -0700 - - Improve BSS selection with default noise floor values - - When noise floor measurements are not available, compute SNR - using default values for the noise floor. This helps steer us - towards 5 GHz BSSes in high signal strength environments. - - In more detail... - - Existing code prefers a 5 GHz BSS when the 5 GHz BSS's signal - strength is "close" to that of the 2.4 GHz BSS, or when both SNRs - are large. However, the mwifiex driver does not provide noise - floor measurements, so we can't compute SNRs. - - Because mwifiex doesn't provide NF measurements, the "large SNR" - code wasn't effective. By using default values for the noise floor, - we can again compute SNRs, and decide that the SNR is high enough - that we shouldn't worry about the exact difference in SNR. - - The default noise floor values (one for 2.4 GHz, and one for 5 GHz) - were chosen by measurement in a noisy environment, so they should be - conservative. - - Note that while this patch is motivated by mwifiex, it affects - ath9k as well. Although ath9k provides noise floor measurements - in general, it will sometimes fail to provide a measurement for - one or more specific channels. - - As a result of this patch, we'll always compare BSSes based on SNR - (either measured or estimated), rather than sometimes comparing - based on signal strength. ("Always" assumes that the - WPA_SCAN_LEVEL_DBM flag is set. It is for mwifiex and ath9k.) - - While there: - - fix a whitespace issue (spaces -> tab) - - clean up existing comments - - update dump_scan_res to indicate whether the noise floor is - measured, or default - - Signed-hostap: mukesh agrawal <qui...@chromium.org> - -Index: wpa-2.3/wpa_supplicant/scan.c -=================================================================== ---- wpa-2.3.orig/wpa_supplicant/scan.c -+++ wpa-2.3/wpa_supplicant/scan.c -@@ -1543,11 +1543,12 @@ struct wpabuf * wpa_scan_get_vendor_ie_m - */ - #define GREAT_SNR 30 - -+#define IS_5GHZ(n) (n > 4000) -+ - /* Compare function for sorting scan results. Return >0 if @b is considered - * better. */ - static int wpa_scan_result_compar(const void *a, const void *b) - { --#define IS_5GHZ(n) (n > 4000) - #define MIN(a,b) a < b ? a : b - struct wpa_scan_res **_wa = (void *) a; - struct wpa_scan_res **_wb = (void *) b; -@@ -1575,18 +1576,18 @@ static int wpa_scan_result_compar(const - (wb->caps & IEEE80211_CAP_PRIVACY) == 0) - return -1; - -- if ((wa->flags & wb->flags & WPA_SCAN_LEVEL_DBM) && -- !((wa->flags | wb->flags) & WPA_SCAN_NOISE_INVALID)) { -+ if (wa->flags & wb->flags & WPA_SCAN_LEVEL_DBM) { - snr_a = MIN(wa->level - wa->noise, GREAT_SNR); - snr_b = MIN(wb->level - wb->noise, GREAT_SNR); - } else { -- /* Not suitable information to calculate SNR, so use level */ -+ /* Level is not in dBm, so we can't calculate -+ * SNR. Just use raw level (units unknown). */ - snr_a = wa->level; - snr_b = wb->level; - } - -- /* best/max rate preferred if SNR close enough */ -- if ((snr_a && snr_b && abs(snr_b - snr_a) < 5) || -+ /* if SNR is close, decide by max rate or frequency band */ -+ if ((snr_a && snr_b && abs(snr_b - snr_a) < 5) || - (wa->qual && wb->qual && abs(wb->qual - wa->qual) < 10)) { - maxrate_a = wpa_scan_get_max_rate(wa); - maxrate_b = wpa_scan_get_max_rate(wb); -@@ -1596,8 +1597,6 @@ static int wpa_scan_result_compar(const - return IS_5GHZ(wa->freq) ? -1 : 1; - } - -- /* use freq for channel preference */ -- - /* all things being equal, use SNR; if SNRs are - * identical, use quality values since some drivers may only report - * that value and leave the signal level zero */ -@@ -1605,7 +1604,6 @@ static int wpa_scan_result_compar(const - return wb->qual - wa->qual; - return snr_b - snr_a; - #undef MIN --#undef IS_5GHZ - } - - -@@ -1670,15 +1668,15 @@ static void dump_scan_res(struct wpa_sca - for (i = 0; i < scan_res->num; i++) { - struct wpa_scan_res *r = scan_res->res[i]; - u8 *pos; -- if ((r->flags & (WPA_SCAN_LEVEL_DBM | WPA_SCAN_NOISE_INVALID)) -- == WPA_SCAN_LEVEL_DBM) { -+ if (r->flags & WPA_SCAN_LEVEL_DBM) { - int snr = r->level - r->noise; -+ int noise_valid = !(r->flags & WPA_SCAN_NOISE_INVALID); -+ - wpa_printf(MSG_EXCESSIVE, MACSTR " freq=%d qual=%d " -- "noise=%d level=%d snr=%d%s flags=0x%x " -- "age=%u", -+ "noise=%d%s level=%d snr=%d%s flags=0x%x age=%u", - MAC2STR(r->bssid), r->freq, r->qual, -- r->noise, r->level, snr, -- snr >= GREAT_SNR ? "*" : "", r->flags, -+ r->noise, noise_valid ? "" : "~", r->level, -+ snr, snr >= GREAT_SNR ? "*" : "", r->flags, - r->age); - } else { - wpa_printf(MSG_EXCESSIVE, MACSTR " freq=%d qual=%d " -@@ -1751,6 +1749,14 @@ static void filter_scan_res(struct wpa_s - } - - -+/* -+ * Noise floor values to use when we have signal strength -+ * measurements, but no noise floor measurments. These values were -+ * measured in an office environment with many APs. -+ */ -+#define DEFAULT_NOISE_FLOOR_2GHZ (-89) -+#define DEFAULT_NOISE_FLOOR_5GHZ (-92) -+ - /** - * wpa_supplicant_get_scan_results - Get scan results - * @wpa_s: Pointer to wpa_supplicant data -@@ -1784,6 +1790,17 @@ wpa_supplicant_get_scan_results(struct w - } - filter_scan_res(wpa_s, scan_res); - -+ for (i = 0; i < scan_res->num; i++) { -+ struct wpa_scan_res *scan_res_item = scan_res->res[i]; -+ -+ if (scan_res_item->flags & WPA_SCAN_NOISE_INVALID) { -+ scan_res_item->noise = -+ IS_5GHZ(scan_res_item->freq) ? -+ DEFAULT_NOISE_FLOOR_5GHZ : -+ DEFAULT_NOISE_FLOOR_2GHZ; -+ } -+ } -+ - #ifdef CONFIG_WPS - if (wpas_wps_searching(wpa_s)) { - wpa_dbg(wpa_s, MSG_DEBUG, "WPS: Order scan results with WPS " diff -upNr wpa-2.3/debian/patches/wpasupplicant_fix-systemd-unit-dependencies.patch wpa-2.5/debian/patches/wpasupplicant_fix-systemd-unit-dependencies.patch --- wpa-2.3/debian/patches/wpasupplicant_fix-systemd-unit-dependencies.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/wpasupplicant_fix-systemd-unit-dependencies.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,20 +0,0 @@ -wpasupplicant: fix systemd unit dependencies - -wpasupplicant needs to be started before the network target -(Closes: 780552). - -Debian bug: https://bugs.debian.org/780552 -Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769186#41 -systemd upstream bug: https://bugs.freedesktop.org/show_bug.cgi?id=86707#c3 - -Signed-off-by: Stefan Lippers-Hollmann <s....@gmx.de> - ---- a/wpa_supplicant/systemd/wpa_supplicant.service.in -+++ b/wpa_supplicant/systemd/wpa_supplicant.service.in -@@ -1,5 +1,6 @@ - [Unit] - Description=WPA supplicant -+Before=network.target - - [Service] - Type=dbus diff -upNr wpa-2.3/debian/patches/wpa_supplicant-MACsec-fix-build-failure-for-IEEE8021.patch wpa-2.5/debian/patches/wpa_supplicant-MACsec-fix-build-failure-for-IEEE8021.patch --- wpa-2.3/debian/patches/wpa_supplicant-MACsec-fix-build-failure-for-IEEE8021.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/wpa_supplicant-MACsec-fix-build-failure-for-IEEE8021.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,42 +0,0 @@ -From d79a8b745b58f0ce1aa1b6969414456415e7eb16 Mon Sep 17 00:00:00 2001 -From: Stefan Lippers-Hollmann <s....@gmx.de> -Date: Mon, 30 Jun 2014 01:46:27 +0200 -Subject: [PATCH] wpa_supplicant/ MACsec: fix build failure for - IEEE8021X_EAPOL=n -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Building wpa_supplicant >= 2.2 fails on Debian/ kfreebsd with the following -error message: - -cc -c -o wpa_supplicant.o -MMD -Wall -g -Os -fPIC -Isrc -Isrc/utils -DCONFIG_BACKEND_FILE -DCONFIG_DRIVER_BSD -DCONFIG_CTRL_IFACE -DCONFIG_CTRL_IFACE_UNIX wpa_supplicant.c -wpa_supplicant.c: In function âwpa_supplicant_initiate_eapolâ: -wpa_supplicant.c:303:33: error: âssidâ undeclared (first use in this function) - ieee802_1x_alloc_kay_sm(wpa_s, ssid); - ^ -wpa_supplicant.c:303:33: note: each undeclared identifier is reported only once for each function it appears in - -Move ieee802_1x_alloc_kay_sm(wpa_s, ssid) into the IEEE8021X_EAPOL ifdef, -as the "ssid" is only conditionally defined for it. - -Signed-off-by: Stefan Lippers-Hollmann <s....@gmx.de> ---- -Build-tested only. - - wpa_supplicant/wpa_supplicant.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/wpa_supplicant/wpa_supplicant.c -+++ b/wpa_supplicant/wpa_supplicant.c -@@ -299,9 +299,9 @@ void wpa_supplicant_initiate_eapol(struc - eapol_conf.external_sim = wpa_s->conf->external_sim; - eapol_conf.wps = wpa_s->key_mgmt == WPA_KEY_MGMT_WPS; - eapol_sm_notify_config(wpa_s->eapol, &ssid->eap, &eapol_conf); --#endif /* IEEE8021X_EAPOL */ - - ieee802_1x_alloc_kay_sm(wpa_s, ssid); -+#endif /* IEEE8021X_EAPOL */ - } - - diff -upNr wpa-2.3/debian/patches/wpasupplicant_P2P-Validate-SSID-element-length-before-copying-it-C.patch wpa-2.5/debian/patches/wpasupplicant_P2P-Validate-SSID-element-length-before-copying-it-C.patch --- wpa-2.3/debian/patches/wpasupplicant_P2P-Validate-SSID-element-length-before-copying-it-C.patch 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/patches/wpasupplicant_P2P-Validate-SSID-element-length-before-copying-it-C.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,37 +0,0 @@ -From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jo...@qca.qualcomm.com> -Date: Tue, 7 Apr 2015 11:32:11 +0300 -Subject: [PATCH] P2P: Validate SSID element length before copying it - (CVE-2015-1863) - -This fixes a possible memcpy overflow for P2P dev->oper_ssid in -p2p_add_device(). The length provided by the peer device (0..255 bytes) -was used without proper bounds checking and that could have resulted in -arbitrary data of up to 223 bytes being written beyond the end of the -dev->oper_ssid[] array (of which about 150 bytes would be beyond the -heap allocation) when processing a corrupted management frame for P2P -peer discovery purposes. - -This could result in corrupted state in heap, unexpected program -behavior due to corrupted P2P peer device information, denial of service -due to process crash, exposure of memory contents during GO Negotiation, -and potentially arbitrary code execution. - -Thanks to Google security team for reporting this issue and smart -hardware research group of Alibaba security team for discovering it. - -Signed-off-by: Jouni Malinen <jo...@qca.qualcomm.com> ---- - src/p2p/p2p.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/src/p2p/p2p.c -+++ b/src/p2p/p2p.c -@@ -736,6 +736,7 @@ int p2p_add_device(struct p2p_data *p2p, - if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0) - os_memcpy(dev->interface_addr, addr, ETH_ALEN); - if (msg.ssid && -+ msg.ssid[1] <= sizeof(dev->oper_ssid) && - (msg.ssid[1] != P2P_WILDCARD_SSID_LEN || - os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN) - != 0)) { diff -upNr wpa-2.3/debian/rules wpa-2.5/debian/rules --- wpa-2.3/debian/rules 2015-11-12 20:55:35.000000000 +0100 +++ wpa-2.5/debian/rules 2015-10-24 16:14:41.000000000 +0200 @@ -92,6 +92,8 @@ override_dh_install: # install systemd support install --mode=644 -D wpa_supplicant/systemd/wpa_supplicant.service \ debian/wpasupplicant/lib/systemd/system/wpa_supplicant.service + install --mode=644 -D wpa_supplicant/systemd/wpa_supplicant@.service \ + debian/wpasupplicant/lib/systemd/system/wpa_supplicant@.service # install D-Bus service activation files & configuration install --mode=644 -D wpa_supplicant/dbus/dbus-wpa_supplicant.conf \ debian/wpasupplicant/etc/dbus-1/system.d/wpa_supplicant.conf
