diff --git a/hostapd-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch b/hostapd-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch new file mode 100644 index 0000000..8b03807 --- /dev/null +++ b/hostapd-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch @@ -0,0 +1,59 @@ +From df9079e72760ceb7ebe7fb11538200c516bdd886 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Tue, 7 Jul 2015 21:57:28 +0300 +Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser + +It was possible for the 32-bit record->total_length value to end up +wrapping around due to integer overflow if the longer form of payload +length field is used and record->payload_length gets a value close to +2^32. This could result in ndef_parse_record() accepting a too large +payload length value and the record type filter reading up to about 20 +bytes beyond the end of the buffer and potentially killing the process. +This could also result in an attempt to allocate close to 2^32 bytes of +heap memory and if that were to succeed, a buffer read overflow of the +same length which would most likely result in the process termination. +In case of record->total_length ending up getting the value 0, there +would be no buffer read overflow, but record parsing would result in an +infinite loop in ndef_parse_records(). + +Any of these error cases could potentially be used for denial of service +attacks over NFC by using a malformed NDEF record on an NFC Tag or +sending them during NFC connection handover if the application providing +the NDEF message to hostapd/wpa_supplicant did no validation of the +received records. While such validation is likely done in the NFC stack +that needs to parse the NFC messages before further processing, +hostapd/wpa_supplicant better be prepared for any data being included +here. + +Fix this by validating record->payload_length value in a way that +detects integer overflow. (CID 122668) + +Signed-off-by: Jouni Malinen +--- + src/wps/ndef.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +(Adapted for 2.4 sources in Fedora. -- JWL) + +diff -up hostapd-2.4/src/wps/ndef.c.NDEF_payload hostapd-2.4/src/wps/ndef.c +--- hostapd-2.4/src/wps/ndef.c.NDEF_payload 2015-03-15 13:30:39.000000000 -0400 ++++ hostapd-2.4/src/wps/ndef.c 2015-07-10 13:14:25.121359848 -0400 +@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *d + if (size < 6) + return -1; + record->payload_length = ntohl(*(u32 *)pos); ++ if (record->payload_length > size - 6) ++ return -1; + pos += sizeof(u32); + } + +@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *d + pos += record->payload_length; + + record->total_length = pos - data; +- if (record->total_length > size) ++ if (record->total_length > size || ++ record->total_length < record->payload_length) + return -1; + return 0; + } diff --git a/hostapd.spec b/hostapd.spec index c06de6b..39f062c 100644 --- a/hostapd.spec +++ b/hostapd.spec @@ -2,7 +2,7 @@ Name: hostapd Version: 2.4 -Release: 3%{?dist} +Release: 4%{?dist} Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator License: BSD URL: http://w1.fi/hostapd @@ -14,6 +14,7 @@ Source3: %{name}.sysconfig Source4: %{name}.init Patch0: %{name}-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch Patch1: %{name}-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch +Patch2: %{name}-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch BuildRequires: libnl3-devel BuildRequires: openssl-devel @@ -57,6 +58,8 @@ Logwatch scripts for hostapd. %patch0 -p1 -b .message_length # commit ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae %patch1 -p1 -b .wmm_underflow +# commit df9079e72760ceb7ebe7fb11538200c516bdd886 +%patch2 -p1 -b .ndef_length %build cd hostapd @@ -175,6 +178,9 @@ fi %{_sysconfdir}/logwatch/scripts/services/%{name} %changelog +* Fri Jul 10 2015 John W. Linville - 2.4-3 +- apply fix for NDEF record payload length checking + * Wed Jun 17 2015 Fedora Release Engineering - 2.4-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild