|
John W. Linville |
c803bbc |
From df9079e72760ceb7ebe7fb11538200c516bdd886 Mon Sep 17 00:00:00 2001
|
|
John W. Linville |
c803bbc |
From: Jouni Malinen <j@w1.fi>
|
|
John W. Linville |
c803bbc |
Date: Tue, 7 Jul 2015 21:57:28 +0300
|
|
John W. Linville |
c803bbc |
Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser
|
|
John W. Linville |
c803bbc |
|
|
John W. Linville |
c803bbc |
It was possible for the 32-bit record->total_length value to end up
|
|
John W. Linville |
c803bbc |
wrapping around due to integer overflow if the longer form of payload
|
|
John W. Linville |
c803bbc |
length field is used and record->payload_length gets a value close to
|
|
John W. Linville |
c803bbc |
2^32. This could result in ndef_parse_record() accepting a too large
|
|
John W. Linville |
c803bbc |
payload length value and the record type filter reading up to about 20
|
|
John W. Linville |
c803bbc |
bytes beyond the end of the buffer and potentially killing the process.
|
|
John W. Linville |
c803bbc |
This could also result in an attempt to allocate close to 2^32 bytes of
|
|
John W. Linville |
c803bbc |
heap memory and if that were to succeed, a buffer read overflow of the
|
|
John W. Linville |
c803bbc |
same length which would most likely result in the process termination.
|
|
John W. Linville |
c803bbc |
In case of record->total_length ending up getting the value 0, there
|
|
John W. Linville |
c803bbc |
would be no buffer read overflow, but record parsing would result in an
|
|
John W. Linville |
c803bbc |
infinite loop in ndef_parse_records().
|
|
John W. Linville |
c803bbc |
|
|
John W. Linville |
c803bbc |
Any of these error cases could potentially be used for denial of service
|
|
John W. Linville |
c803bbc |
attacks over NFC by using a malformed NDEF record on an NFC Tag or
|
|
John W. Linville |
c803bbc |
sending them during NFC connection handover if the application providing
|
|
John W. Linville |
c803bbc |
the NDEF message to hostapd/wpa_supplicant did no validation of the
|
|
John W. Linville |
c803bbc |
received records. While such validation is likely done in the NFC stack
|
|
John W. Linville |
c803bbc |
that needs to parse the NFC messages before further processing,
|
|
John W. Linville |
c803bbc |
hostapd/wpa_supplicant better be prepared for any data being included
|
|
John W. Linville |
c803bbc |
here.
|
|
John W. Linville |
c803bbc |
|
|
John W. Linville |
c803bbc |
Fix this by validating record->payload_length value in a way that
|
|
John W. Linville |
c803bbc |
detects integer overflow. (CID 122668)
|
|
John W. Linville |
c803bbc |
|
|
John W. Linville |
c803bbc |
Signed-off-by: Jouni Malinen <j@w1.fi>
|
|
John W. Linville |
c803bbc |
---
|
|
John W. Linville |
c803bbc |
src/wps/ndef.c | 5 ++++-
|
|
John W. Linville |
c803bbc |
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
John W. Linville |
c803bbc |
|
|
John W. Linville |
c803bbc |
(Adapted for 2.4 sources in Fedora. -- JWL)
|
|
John W. Linville |
c803bbc |
|
|
John W. Linville |
c803bbc |
diff -up hostapd-2.4/src/wps/ndef.c.NDEF_payload hostapd-2.4/src/wps/ndef.c
|
|
John W. Linville |
c803bbc |
--- hostapd-2.4/src/wps/ndef.c.NDEF_payload 2015-03-15 13:30:39.000000000 -0400
|
|
John W. Linville |
c803bbc |
+++ hostapd-2.4/src/wps/ndef.c 2015-07-10 13:14:25.121359848 -0400
|
|
John W. Linville |
c803bbc |
@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *d
|
|
John W. Linville |
c803bbc |
if (size < 6)
|
|
John W. Linville |
c803bbc |
return -1;
|
|
John W. Linville |
c803bbc |
record->payload_length = ntohl(*(u32 *)pos);
|
|
John W. Linville |
c803bbc |
+ if (record->payload_length > size - 6)
|
|
John W. Linville |
c803bbc |
+ return -1;
|
|
John W. Linville |
c803bbc |
pos += sizeof(u32);
|
|
John W. Linville |
c803bbc |
}
|
|
John W. Linville |
c803bbc |
|
|
John W. Linville |
c803bbc |
@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *d
|
|
John W. Linville |
c803bbc |
pos += record->payload_length;
|
|
John W. Linville |
c803bbc |
|
|
John W. Linville |
c803bbc |
record->total_length = pos - data;
|
|
John W. Linville |
c803bbc |
- if (record->total_length > size)
|
|
John W. Linville |
c803bbc |
+ if (record->total_length > size ||
|
|
John W. Linville |
c803bbc |
+ record->total_length < record->payload_length)
|
|
John W. Linville |
c803bbc |
return -1;
|
|
John W. Linville |
c803bbc |
return 0;
|
|
John W. Linville |
c803bbc |
}
|