CVS commit: src/external/bsd/wpa/dist/src/ap
Module Name:src Committed By: christos Date: Sat May 9 19:35:15 UTC 2015 Modified Files: src/external/bsd/wpa/dist/src/ap: wmm.c Log Message: The length of the WMM Action frame was not properly validated and the length of the information elements (int left) could end up being negative. This would result in reading significantly past the stack buffer while parsing the IEs in ieee802_11_parse_elems() and while doing so, resulting in segmentation fault. This can result in an invalid frame being used for a denial of service attack (hostapd process killed) against an AP with a driver that uses hostapd for management frame processing (e.g., all mac80211-based drivers). Thanks to Kostya Kortchinsky of Google security team for discovering and reporting this issue. XXX: pullup-7 To generate a diff of this commit: cvs rdiff -u -r1.1.1.4 -r1.2 src/external/bsd/wpa/dist/src/ap/wmm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/wpa/dist/src/ap/wmm.c diff -u src/external/bsd/wpa/dist/src/ap/wmm.c:1.1.1.4 src/external/bsd/wpa/dist/src/ap/wmm.c:1.2 --- src/external/bsd/wpa/dist/src/ap/wmm.c:1.1.1.4 Thu Oct 16 15:16:06 2014 +++ src/external/bsd/wpa/dist/src/ap/wmm.c Sat May 9 15:35:15 2015 @@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_d return; } + if (left 0) + return; /* not a valid WMM Action frame */ + /* extract the tspec info element */ if (ieee802_11_parse_elems(pos, left, elems, 1) == ParseFailed) { hostapd_logger(hapd, mgmt-sa, HOSTAPD_MODULE_IEEE80211,
CVS commit: src/external/bsd/wpa/dist/src/ap
Module Name:src Committed By: christos Date: Sat Mar 7 22:31:24 UTC 2015 Modified Files: src/external/bsd/wpa/dist/src/ap: ap_drv_ops.c Log Message: prevent coredump from the distributed config file. XXX: pullup-7 To generate a diff of this commit: cvs rdiff -u -r1.1.1.4 -r1.2 src/external/bsd/wpa/dist/src/ap/ap_drv_ops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/wpa/dist/src/ap/ap_drv_ops.c diff -u src/external/bsd/wpa/dist/src/ap/ap_drv_ops.c:1.1.1.4 src/external/bsd/wpa/dist/src/ap/ap_drv_ops.c:1.2 --- src/external/bsd/wpa/dist/src/ap/ap_drv_ops.c:1.1.1.4 Thu Oct 16 15:16:05 2014 +++ src/external/bsd/wpa/dist/src/ap/ap_drv_ops.c Sat Mar 7 17:31:24 2015 @@ -569,7 +569,8 @@ int hostapd_set_freq(struct hostapd_data { struct hostapd_freq_params data; - if (hostapd_set_freq_params(data, mode, freq, channel, ht_enabled, + if (hapd-iface-current_mode + hostapd_set_freq_params(data, mode, freq, channel, ht_enabled, vht_enabled, sec_channel_offset, vht_oper_chwidth, center_segment0, center_segment1, @@ -765,7 +766,8 @@ int hostapd_start_dfs_cac(struct hostapd return -1; } - if (hostapd_set_freq_params(data, mode, freq, channel, ht_enabled, + if (iface-current_mode + hostapd_set_freq_params(data, mode, freq, channel, ht_enabled, vht_enabled, sec_channel_offset, vht_oper_chwidth, center_segment0, center_segment1,
CVS commit: src/external/bsd/wpa/dist/src/ap
Module Name:src Committed By: plunky Date: Sun Feb 27 18:07:43 UTC 2011 Modified Files: src/external/bsd/wpa/dist/src/ap: wpa_auth.c Log Message: avoid preprocessor directives in macro arguments has been committed upstream at http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=blobdiff;f=src/ap/wpa_auth.c;h=7ad60a23d999082a00e9be672d4b55a19c46a4bb;hp=13e8ec43895a67d6d825b5c2a199499232dbafcb;hb=8ce58ceb250f101ee66682a4149cc652a30a74da;hpb=73304dbf65c3da859b1c51e6be32457e9ec9932d To generate a diff of this commit: cvs rdiff -u -r1.1.1.1 -r1.2 src/external/bsd/wpa/dist/src/ap/wpa_auth.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/wpa/dist/src/ap/wpa_auth.c diff -u src/external/bsd/wpa/dist/src/ap/wpa_auth.c:1.1.1.1 src/external/bsd/wpa/dist/src/ap/wpa_auth.c:1.2 --- src/external/bsd/wpa/dist/src/ap/wpa_auth.c:1.1.1.1 Wed Aug 4 10:18:00 2010 +++ src/external/bsd/wpa/dist/src/ap/wpa_auth.c Sun Feb 27 18:07:42 2011 @@ -2327,19 +2327,21 @@ { int len = 0, ret; char pmkid_txt[PMKID_LEN * 2 + 1]; +#ifdef CONFIG_RSN_PREAUTH + const int preauth = 1; +#else /* CONFIG_RSN_PREAUTH */ + const int preauth = 0; +#endif /* CONFIG_RSN_PREAUTH */ if (wpa_auth == NULL) return len; ret = os_snprintf(buf + len, buflen - len, dot11RSNAOptionImplemented=TRUE\n -#ifdef CONFIG_RSN_PREAUTH - dot11RSNAPreauthenticationImplemented=TRUE\n -#else /* CONFIG_RSN_PREAUTH */ - dot11RSNAPreauthenticationImplemented=FALSE\n -#endif /* CONFIG_RSN_PREAUTH */ + dot11RSNAPreauthenticationImplemented=%s\n dot11RSNAEnabled=%s\n dot11RSNAPreauthenticationEnabled=%s\n, + wpa_bool_txt(preauth), wpa_bool_txt(wpa_auth-conf.wpa WPA_PROTO_RSN), wpa_bool_txt(wpa_auth-conf.rsn_preauth)); if (ret 0 || (size_t) ret = buflen - len)