Adding more security patches from bug #548744

(Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key 15AE484C)

4 files changed, 103 insertions, 2 deletions

diff --git a/net-wireless/hostapd/ChangeLog b/net-wireless/hostapd/ChangeLog
index 34e9edf6d40f..6805797eba08 100644
--- a/net-wireless/hostapd/ChangeLog
+++ b/net-wireless/hostapd/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for net-wireless/hostapd
 # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-wireless/hostapd/ChangeLog,v 1.155 2015/05/08 18:14:59 gurligebis Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-wireless/hostapd/ChangeLog,v 1.156 2015/05/11 14:47:56 gurligebis Exp $
+
+*hostapd-2.4-r2 (11 May 2015)
+
+  11 May 2015; <gurligebis@gentoo.org> -hostapd-2.4-r1.ebuild,
+  +hostapd-2.4-r2.ebuild,
+  +files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch,
+  +files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
+  :
+  Adding more security patches from bug #548744
 
 *hostapd-2.4-r1 (08 May 2015)
 
diff --git a/net-wireless/hostapd/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch b/net-wireless/hostapd/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
new file mode 100644
index 000000000000..36b4ca294699
--- /dev/null
+++ b/net-wireless/hostapd/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
@@ -0,0 +1,49 @@
+From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Tue, 28 Apr 2015 17:08:33 +0300
+Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser
+
+strtoul() return value may end up overflowing the int h->chunk_size and
+resulting in a negative value to be stored as the chunk_size. This could
+result in the following memcpy operation using a very large length
+argument which would result in a buffer overflow and segmentation fault.
+
+This could have been used to cause a denial service by any device that
+has been authorized for network access (either wireless or wired). This
+would affect both the WPS UPnP functionality in a WPS AP (hostapd with
+upnp_iface parameter set in the configuration) and WPS ER
+(wpa_supplicant with WPS_ER_START control interface command used).
+
+Validate the parsed chunk length value to avoid this. In addition to
+rejecting negative values, we can also reject chunk size that would be
+larger than the maximum configured body length.
+
+Thanks to Kostya Kortchinsky of Google security team for discovering and
+reporting this issue.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/wps/httpread.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/wps/httpread.c b/src/wps/httpread.c
+index 2f08f37..d2855e3 100644
+--- a/src/wps/httpread.c
++++ b/src/wps/httpread.c
+@@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx)
+ 					if (!isxdigit(*cbp))
+ 						goto bad;
+ 					h->chunk_size = strtoul(cbp, NULL, 16);
++					if (h->chunk_size < 0 ||
++					    h->chunk_size > h->max_bytes) {
++						wpa_printf(MSG_DEBUG,
++							   "httpread: Invalid chunk size %d",
++							   h->chunk_size);
++						goto bad;
++					}
+ 					/* throw away chunk header
+ 					 * so we have only real data
+ 					 */
+-- 
+1.9.1
+
diff --git a/net-wireless/hostapd/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch b/net-wireless/hostapd/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
new file mode 100644
index 000000000000..79c5af8906fa
--- /dev/null
+++ b/net-wireless/hostapd/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
@@ -0,0 +1,41 @@
+From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Wed, 29 Apr 2015 02:21:53 +0300
+Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
+
+The length of the WMM Action frame was not properly validated and the
+length of the information elements (int left) could end up being
+negative. This would result in reading significantly past the stack
+buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
+so, resulting in segmentation fault.
+
+This can result in an invalid frame being used for a denial of service
+attack (hostapd process killed) against an AP with a driver that uses
+hostapd for management frame processing (e.g., all mac80211-based
+drivers).
+
+Thanks to Kostya Kortchinsky of Google security team for discovering and
+reporting this issue.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/wmm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/ap/wmm.c b/src/ap/wmm.c
+index 6d4177c..314e244 100644
+--- a/src/ap/wmm.c
++++ b/src/ap/wmm.c
+@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd,
+ 		return;
+ 	}
+ 
++	if (left < 0)
++		return; /* not a valid WMM Action frame */
++
+ 	/* extract the tspec info element */
+ 	if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
+ 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
+-- 
+1.9.1
+
diff --git a/net-wireless/hostapd/hostapd-2.4-r1.ebuild b/net-wireless/hostapd/hostapd-2.4-r2.ebuild
index f8ff714f196f..536b30e49195 100644
--- a/net-wireless/hostapd/hostapd-2.4-r1.ebuild
+++ b/net-wireless/hostapd/hostapd-2.4-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2015 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-wireless/hostapd/hostapd-2.4-r1.ebuild,v 1.1 2015/05/08 18:14:59 gurligebis Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-wireless/hostapd/hostapd-2.4-r2.ebuild,v 1.1 2015/05/11 14:47:56 gurligebis Exp $
 
 EAPI="4"
 
@@ -31,6 +31,8 @@ src_prepare() {
 	cd ..
 
 	# bug (548744)
+	epatch "${FILESDIR}/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch"
+	epatch "${FILESDIR}/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch"
 	epatch "${FILESDIR}/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch"
 	epatch "${FILESDIR}/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch"
 	epatch "${FILESDIR}/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch"