From 5b487d679babc4bf52919c06b8ce9c07ec7b88d2 Mon Sep 17 00:00:00 2001 From: John W. Linville Date: Oct 13 2015 20:45:22 +0000 Subject: Update to version 2.5 from upstream - Remove patches made redundant by version update --- diff --git a/.gitignore b/.gitignore index 0764eb6..076f0aa 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -/hostapd-2.4.tar.gz +/hostapd-2.5.tar.gz diff --git a/hostapd-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch b/hostapd-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch deleted file mode 100644 index 79c5af8..0000000 --- a/hostapd-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch +++ /dev/null @@ -1,41 +0,0 @@ -From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Wed, 29 Apr 2015 02:21:53 +0300 -Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser - -The length of the WMM Action frame was not properly validated and the -length of the information elements (int left) could end up being -negative. This would result in reading significantly past the stack -buffer while parsing the IEs in ieee802_11_parse_elems() and while doing -so, resulting in segmentation fault. - -This can result in an invalid frame being used for a denial of service -attack (hostapd process killed) against an AP with a driver that uses -hostapd for management frame processing (e.g., all mac80211-based -drivers). - -Thanks to Kostya Kortchinsky of Google security team for discovering and -reporting this issue. - -Signed-off-by: Jouni Malinen ---- - src/ap/wmm.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/ap/wmm.c b/src/ap/wmm.c -index 6d4177c..314e244 100644 ---- a/src/ap/wmm.c -+++ b/src/ap/wmm.c -@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd, - return; - } - -+ if (left < 0) -+ return; /* not a valid WMM Action frame */ -+ - /* extract the tspec info element */ - if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) { - hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, --- -1.9.1 - diff --git a/hostapd-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch b/hostapd-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch deleted file mode 100644 index dee044e..0000000 --- a/hostapd-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 586c446e0ff42ae00315b014924ec669023bd8de Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Sun, 7 Oct 2012 20:06:29 +0300 -Subject: [PATCH] EAP-TLS server: Fix TLS Message Length validation - -EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS -Message Length value properly and could end up trying to store more -information into the message buffer than the allocated size if the first -fragment is longer than the indicated size. This could result in hostapd -process terminating in wpabuf length validation. Fix this by rejecting -messages that have invalid TLS Message Length value. - -This would affect cases that use the internal EAP authentication server -in hostapd either directly with IEEE 802.1X or when using hostapd as a -RADIUS authentication server and when receiving an incorrectly -constructed EAP-TLS message. Cases where hostapd uses an external -authentication are not affected. - -Thanks to Timo Warns for finding and reporting this issue. - -Signed-hostap: Jouni Malinen -intended-for: hostap-1 ---- - src/eap_server/eap_server_tls_common.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c -index 31be2ec..46f282b 100644 ---- a/src/eap_server/eap_server_tls_common.c -+++ b/src/eap_server/eap_server_tls_common.c -@@ -261,6 +261,14 @@ - return -1; - } - -+ if (len > message_length) { -+ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in " -+ "first fragment of frame (TLS Message " -+ "Length %d bytes)", -+ (int) len, (int) message_length); -+ return -1; -+ } -+ - data->tls_in = wpabuf_alloc(message_length); - if (data->tls_in == NULL) { - wpa_printf(MSG_DEBUG, "SSL: No memory for message"); --- -1.7.11.4 - diff --git a/hostapd-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch b/hostapd-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch deleted file mode 100644 index 8b03807..0000000 --- a/hostapd-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch +++ /dev/null @@ -1,59 +0,0 @@ -From df9079e72760ceb7ebe7fb11538200c516bdd886 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Tue, 7 Jul 2015 21:57:28 +0300 -Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser - -It was possible for the 32-bit record->total_length value to end up -wrapping around due to integer overflow if the longer form of payload -length field is used and record->payload_length gets a value close to -2^32. This could result in ndef_parse_record() accepting a too large -payload length value and the record type filter reading up to about 20 -bytes beyond the end of the buffer and potentially killing the process. -This could also result in an attempt to allocate close to 2^32 bytes of -heap memory and if that were to succeed, a buffer read overflow of the -same length which would most likely result in the process termination. -In case of record->total_length ending up getting the value 0, there -would be no buffer read overflow, but record parsing would result in an -infinite loop in ndef_parse_records(). - -Any of these error cases could potentially be used for denial of service -attacks over NFC by using a malformed NDEF record on an NFC Tag or -sending them during NFC connection handover if the application providing -the NDEF message to hostapd/wpa_supplicant did no validation of the -received records. While such validation is likely done in the NFC stack -that needs to parse the NFC messages before further processing, -hostapd/wpa_supplicant better be prepared for any data being included -here. - -Fix this by validating record->payload_length value in a way that -detects integer overflow. (CID 122668) - -Signed-off-by: Jouni Malinen ---- - src/wps/ndef.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -(Adapted for 2.4 sources in Fedora. -- JWL) - -diff -up hostapd-2.4/src/wps/ndef.c.NDEF_payload hostapd-2.4/src/wps/ndef.c ---- hostapd-2.4/src/wps/ndef.c.NDEF_payload 2015-03-15 13:30:39.000000000 -0400 -+++ hostapd-2.4/src/wps/ndef.c 2015-07-10 13:14:25.121359848 -0400 -@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *d - if (size < 6) - return -1; - record->payload_length = ntohl(*(u32 *)pos); -+ if (record->payload_length > size - 6) -+ return -1; - pos += sizeof(u32); - } - -@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *d - pos += record->payload_length; - - record->total_length = pos - data; -- if (record->total_length > size) -+ if (record->total_length > size || -+ record->total_length < record->payload_length) - return -1; - return 0; - } diff --git a/hostapd.spec b/hostapd.spec index 39f062c..638eb59 100644 --- a/hostapd.spec +++ b/hostapd.spec @@ -1,8 +1,8 @@ %global _hardened_build 1 Name: hostapd -Version: 2.4 -Release: 4%{?dist} +Version: 2.5 +Release: 1%{?dist} Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator License: BSD URL: http://w1.fi/hostapd @@ -12,9 +12,6 @@ Source1: %{name}.service Source2: %{name}.conf Source3: %{name}.sysconfig Source4: %{name}.init -Patch0: %{name}-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch -Patch1: %{name}-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch -Patch2: %{name}-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch BuildRequires: libnl3-devel BuildRequires: openssl-devel @@ -53,14 +50,6 @@ Logwatch scripts for hostapd. %prep %setup -q -# git://w1.fi/srv/git/hostap.git -# commit 586c446e0ff42ae00315b014924ec669023bd8de -%patch0 -p1 -b .message_length -# commit ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae -%patch1 -p1 -b .wmm_underflow -# commit df9079e72760ceb7ebe7fb11538200c516bdd886 -%patch2 -p1 -b .ndef_length - %build cd hostapd cat defconfig | sed \ @@ -178,6 +167,10 @@ fi %{_sysconfdir}/logwatch/scripts/services/%{name} %changelog +* Tue Oct 13 2015 John W. Linville - 2.5-1 +- Update to version 2.5 from upstream +- Remove patches made redundant by version update + * Fri Jul 10 2015 John W. Linville - 2.4-3 - apply fix for NDEF record payload length checking diff --git a/sources b/sources index 7747b08..8cc9f9c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -04578f3f2c3eb1bec1adf30473813912 hostapd-2.4.tar.gz +69f9cec3f76d74f402864a43e4f8624f hostapd-2.5.tar.gz