commit e3e8aebdc175c7e19cb1d3d0549c6699391162ce · pyrox.dev/nixpkgs

+42

pkgs/os-specific/linux/wpa_supplicant/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch

···

       1
       1
       +
       From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001

     

       2
       2
       +
       From: Jouni Malinen <jouni@qca.qualcomm.com>

     

       3
       3
       +
       Date: Tue, 7 Apr 2015 11:32:11 +0300

     

       4
       4
       +
       Subject: [PATCH] P2P: Validate SSID element length before copying it

     

       5
       5
       +
        (CVE-2015-1863)

     

       6
       6
       +
       

     

       7
       7
       +
       This fixes a possible memcpy overflow for P2P dev->oper_ssid in

     

       8
       8
       +
       p2p_add_device(). The length provided by the peer device (0..255 bytes)

     

       9
       9
       +
       was used without proper bounds checking and that could have resulted in

     

       10
       10
       +
       arbitrary data of up to 223 bytes being written beyond the end of the

     

       11
       11
       +
       dev->oper_ssid[] array (of which about 150 bytes would be beyond the

     

       12
       12
       +
       heap allocation) when processing a corrupted management frame for P2P

     

       13
       13
       +
       peer discovery purposes.

     

       14
       14
       +
       

     

       15
       15
       +
       This could result in corrupted state in heap, unexpected program

     

       16
       16
       +
       behavior due to corrupted P2P peer device information, denial of service

     

       17
       17
       +
       due to process crash, exposure of memory contents during GO Negotiation,

     

       18
       18
       +
       and potentially arbitrary code execution.

     

       19
       19
       +
       

     

       20
       20
       +
       Thanks to Google security team for reporting this issue and smart

     

       21
       21
       +
       hardware research group of Alibaba security team for discovering it.

     

       22
       22
       +
       

     

       23
       23
       +
       Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

     

       24
       24
       +
       ---

     

       25
       25
       +
        src/p2p/p2p.c | 1 +

     

       26
       26
       +
        1 file changed, 1 insertion(+)

     

       27
       27
       +
       

     

       28
       28
       +
       diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c

     

       29
       29
       +
       index f584fae..a45fe73 100644

     

       30
       30
       +
       --- a/src/p2p/p2p.c

     

       31
       31
       +
       +++ b/src/p2p/p2p.c

     

       32
       32
       +
       @@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq,

     

       33
       33
       +
        	if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)

     

       34
       34
       +
        		os_memcpy(dev->interface_addr, addr, ETH_ALEN);

     

       35
       35
       +
        	if (msg.ssid &&

     

       36
       36
       +
       +	    msg.ssid[1] <= sizeof(dev->oper_ssid) &&

     

       37
       37
       +
        	    (msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||

     

       38
       38
       +
        	     os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)

     

       39
       39
       +
        	     != 0)) {

     

       40
       40
       +
       -- 

     

       41
       41
       +
       1.9.1

     

       42
       42
       +

+1 -1

pkgs/os-specific/linux/wpa_supplicant/default.nix

···

       39
       39
        
       

     

       40
       40
        
         nativeBuildInputs = [ pkgconfig ];

     

       41
       41
        
       

     

       42
       42
       -
         patches = [];

     

       42
       42
       +
         patches = [ ./0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch ];

     

       43
       43
        
       

     

       44
       44
        
         postInstall = ''

     

       45
       45
        
           mkdir -p $out/share/man/man5 $out/share/man/man8