aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch118
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch53
-rw-r--r--meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb2
3 files changed, 173 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch
new file mode 100644
index 0000000000..4ea519c752
--- /dev/null
+++ b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch
@@ -0,0 +1,118 @@
+From f1cdbb33ec61c4a64a32e107d4d02f936051c708 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Mon, 7 Feb 2022 22:26:05 -0500
+Subject: [PATCH] it's probably wrong to be completely retarded. Let's fix
+ that.
+
+CVE: CVE-2022-41860
+
+Upstream-Status: Backport
+[https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a32e107d4d02f936051c708]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/modules/rlm_eap/libeap/eapsimlib.c | 69 +++++++++++++++++++-------
+ 1 file changed, 52 insertions(+), 17 deletions(-)
+
+diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
+index cf1e8a7dd9..e438a844ea 100644
+--- a/src/modules/rlm_eap/libeap/eapsimlib.c
++++ b/src/modules/rlm_eap/libeap/eapsimlib.c
+@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
+ newvp->vp_length = 1;
+ fr_pair_add(&(r->vps), newvp);
+
++ /*
++ * EAP-SIM has a 1 octet of subtype, and 2 octets
++ * reserved.
++ */
+ attr += 3;
+ attrlen -= 3;
+
+- /* now, loop processing each attribute that we find */
+- while(attrlen > 0) {
++ /*
++ * Loop over each attribute. The format is:
++ *
++ * 1 octet of type
++ * 1 octet of length (value 1..255)
++ * ((4 * length) - 2) octets of data.
++ */
++ while (attrlen > 0) {
+ uint8_t *p;
+
+- if(attrlen < 2) {
++ if (attrlen < 2) {
+ fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
+ return 0;
+ }
+
++ if (!attr[1]) {
++ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", eapsim_attribute,
++ es_attribute_count);
++ return 0;
++ }
++
+ eapsim_attribute = attr[0];
+ eapsim_len = attr[1] * 4;
+
++ /*
++ * The length includes the 2-byte header.
++ */
+ if (eapsim_len > attrlen) {
+ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
+ eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
+ return 0;
+ }
+
+- if(eapsim_len > MAX_STRING_LEN) {
+- eapsim_len = MAX_STRING_LEN;
+- }
+- if (eapsim_len < 2) {
+- fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
+- es_attribute_count);
+- return 0;
+- }
++ newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
++ if (!newvp) {
++ /*
++ * RFC 4186 Section 8.1 says 0..127 are
++ * "non-skippable". If one such
++ * attribute is found and we don't
++ * understand it, the server has to send:
++ *
++ * EAP-Request/SIM/Notification packet with an
++ * (AT_NOTIFICATION code, which implies general failure ("General
++ * failure after authentication" (0), or "General failure" (16384),
++ * depending on the phase of the exchange), which terminates the
++ * authentication exchange.
++ */
++ if (eapsim_attribute <= 127) {
++ fr_strerror_printf("Unknown mandatory attribute %d, failing",
++ eapsim_attribute);
++ return 0;
++ }
+
+- newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
+- newvp->vp_length = eapsim_len-2;
+- newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
+- memcpy(p, &attr[2], eapsim_len-2);
+- fr_pair_add(&(r->vps), newvp);
+- newvp = NULL;
++ } else {
++ /*
++ * It's known, ccount for header, and
++ * copy the value over.
++ */
++ newvp->vp_length = eapsim_len - 2;
++
++ newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
++ memcpy(p, &attr[2], newvp->vp_length);
++ fr_pair_add(&(r->vps), newvp);
++ }
+
+ /* advance pointers, decrement length */
+ attr += eapsim_len;
+--
+2.25.1
+
diff --git a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch
new file mode 100644
index 0000000000..352c02137a
--- /dev/null
+++ b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch
@@ -0,0 +1,53 @@
+From 0ec2b39d260e08e4c3464f6b95005821dc559c62 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Mon, 28 Feb 2022 10:34:15 -0500
+Subject: [PATCH] manual port of commit 5906bfa1
+
+CVE: CVE-2022-41861
+
+Upstream-Status: Backport
+[https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e08e4c3464f6b95005821dc559c62]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/lib/filters.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/filters.c b/src/lib/filters.c
+index 4868cd385d..3f3b63daee 100644
+--- a/src/lib/filters.c
++++ b/src/lib/filters.c
+@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
+ }
+ }
+ } else if (filter->type == RAD_FILTER_GENERIC) {
+- int count;
++ size_t count, masklen;
++
++ masklen = ntohs(filter->u.generic.len);
++ if (masklen >= sizeof(filter->u.generic.mask)) {
++ *p = '\0';
++ return;
++ }
+
+ i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
+ p += i;
+
+ /* show the mask */
+- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
++ for (count = 0; count < masklen; count++) {
+ i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
+ p += i;
+ outlen -= i;
+@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
+ outlen--;
+
+ /* show the value */
+- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
++ for (count = 0; count < masklen; count++) {
+ i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
+ p += i;
+ outlen -= i;
+--
+2.25.1
+
diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb
index 1407b798b5..db37f65918 100644
--- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb
+++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb
@@ -33,6 +33,8 @@ SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0
file://radiusd-volatiles.conf \
file://check-openssl-cmds-in-script-bootstrap.patch \
file://0001-version.c-don-t-print-build-flags.patch \
+ file://CVE-2022-41860.patch \
+ file://CVE-2022-41861.patch \
"
raddbdir="${sysconfdir}/${MLPREFIX}raddb"
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-07 08:25:51 +0000