summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'net-wireless/wpa_supplicant/files/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch')
-rw-r--r--net-wireless/wpa_supplicant/files/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch42
1 files changed, 0 insertions, 42 deletions
diff --git a/net-wireless/wpa_supplicant/files/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch b/net-wireless/wpa_supplicant/files/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
deleted file mode 100644
index de1964ca769..00000000000
--- a/net-wireless/wpa_supplicant/files/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@qca.qualcomm.com>
-Date: Tue, 7 Apr 2015 11:32:11 +0300
-Subject: [PATCH] P2P: Validate SSID element length before copying it
- (CVE-2015-1863)
-
-This fixes a possible memcpy overflow for P2P dev->oper_ssid in
-p2p_add_device(). The length provided by the peer device (0..255 bytes)
-was used without proper bounds checking and that could have resulted in
-arbitrary data of up to 223 bytes being written beyond the end of the
-dev->oper_ssid[] array (of which about 150 bytes would be beyond the
-heap allocation) when processing a corrupted management frame for P2P
-peer discovery purposes.
-
-This could result in corrupted state in heap, unexpected program
-behavior due to corrupted P2P peer device information, denial of service
-due to process crash, exposure of memory contents during GO Negotiation,
-and potentially arbitrary code execution.
-
-Thanks to Google security team for reporting this issue and smart
-hardware research group of Alibaba security team for discovering it.
-
-Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
----
- src/p2p/p2p.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
-index f584fae..a45fe73 100644
---- a/src/p2p/p2p.c
-+++ b/src/p2p/p2p.c
-@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq,
- if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)
- os_memcpy(dev->interface_addr, addr, ETH_ALEN);
- if (msg.ssid &&
-+ msg.ssid[1] <= sizeof(dev->oper_ssid) &&
- (msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
- os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
- != 0)) {
---
-1.9.1
-