Module Name: src Committed By: christos Date: Tue May 3 18:19:44 UTC 2016
Modified Files: src/external/bsd/wpa/dist/src/utils: common.c common.h src/external/bsd/wpa/dist/src/wps: wps_attr_process.c Log Message: http://w1.fi/security/2016-1/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch WPA/WPA2-Personal passphrase is not allowed to include control characters. Reject a Credential received from a WPS Registrar both as STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or WPA2PSK authentication type and includes an invalid passphrase. This fixes an issue where hostapd or wpa_supplicant could have updated the configuration file PSK/passphrase parameter with arbitrary data from an external device (Registrar) that may not be fully trusted. Should such data include a newline character, the resulting configuration file could become invalid and fail to be parsed. To generate a diff of this commit: cvs rdiff -u -r1.1.1.5 -r1.2 src/external/bsd/wpa/dist/src/utils/common.c \ src/external/bsd/wpa/dist/src/utils/common.h cvs rdiff -u -r1.1.1.5 -r1.2 \ src/external/bsd/wpa/dist/src/wps/wps_attr_process.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/external/bsd/wpa/dist/src/utils/common.c diff -u src/external/bsd/wpa/dist/src/utils/common.c:1.1.1.5 src/external/bsd/wpa/dist/src/utils/common.c:1.2 --- src/external/bsd/wpa/dist/src/utils/common.c:1.1.1.5 Wed Apr 1 15:24:45 2015 +++ src/external/bsd/wpa/dist/src/utils/common.c Tue May 3 14:19:44 2016 @@ -671,6 +671,18 @@ int is_hex(const u8 *data, size_t len) } +int has_ctrl_char(const u8 *data, size_t len) +{ + size_t i; + + for (i = 0; i < len; i++) { + if (data[i] < 32 || data[i] == 127) + return 1; + } + return 0; +} + + size_t merge_byte_arrays(u8 *res, size_t res_len, const u8 *src1, size_t src1_len, const u8 *src2, size_t src2_len) Index: src/external/bsd/wpa/dist/src/utils/common.h diff -u src/external/bsd/wpa/dist/src/utils/common.h:1.1.1.5 src/external/bsd/wpa/dist/src/utils/common.h:1.2 --- src/external/bsd/wpa/dist/src/utils/common.h:1.1.1.5 Wed Apr 1 15:24:45 2015 +++ src/external/bsd/wpa/dist/src/utils/common.h Tue May 3 14:19:44 2016 @@ -501,6 +501,7 @@ const char * wpa_ssid_txt(const u8 *ssid char * wpa_config_parse_string(const char *value, size_t *len); int is_hex(const u8 *data, size_t len); +int has_ctrl_char(const u8 *data, size_t len); size_t merge_byte_arrays(u8 *res, size_t res_len, const u8 *src1, size_t src1_len, const u8 *src2, size_t src2_len); Index: src/external/bsd/wpa/dist/src/wps/wps_attr_process.c diff -u src/external/bsd/wpa/dist/src/wps/wps_attr_process.c:1.1.1.5 src/external/bsd/wpa/dist/src/wps/wps_attr_process.c:1.2 --- src/external/bsd/wpa/dist/src/wps/wps_attr_process.c:1.1.1.5 Thu Oct 16 15:16:09 2014 +++ src/external/bsd/wpa/dist/src/wps/wps_attr_process.c Tue May 3 14:19:44 2016 @@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struc cred->key_len--; #endif /* CONFIG_WPS_STRICT */ } + + + if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) && + (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) { + wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase"); + wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key", + cred->key, cred->key_len); + return -1; + } + return 0; }