wpa-supplicant: Fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146

wpa-supplicant: backport patch to fix CVE-2015-4141,
 CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146

Backport patch to fix CVE-2015-4141, CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146.
This patch is originally from:

For CVE-2015-4141:
http://w1.fi/security/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch

For CVE-2015-4143:
http://w1.fi/security/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
http://w1.fi/security/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch

For CVE-2015-4144 and CVE-2015-4145:
http://w1.fi/security/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
http://w1.fi/security/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch

For CVE-2015-4146:
http://w1.fi/security/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch

Signed-off-by: Fan Xin <fan.xin at jp.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

1 files changed, 54 insertions, 0 deletions

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
new file mode 100644
index 0000000000..a4c02b4745
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
@@ -0,0 +1,54 @@
+Upstream-Status: Backport
+
+Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
+
+From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 2 May 2015 19:26:06 +0300
+Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment
+ reassembly
+
+The remaining number of bytes in the message could be smaller than the
+Total-Length field size, so the length needs to be explicitly checked
+prior to reading the field and decrementing the len variable. This could
+have resulted in the remaining length becoming negative and interpreted
+as a huge positive integer.
+
+In addition, check that there is no already started fragment in progress
+before allocating a new buffer for reassembling fragments. This avoid a
+potential memory leak when processing invalid message.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_server/eap_server_pwd.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
+index 3189105..2bfc3c2 100644
+--- a/src/eap_server/eap_server_pwd.c
++++ b/src/eap_server/eap_server_pwd.c
+@@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
+ 	 * the first fragment has a total length
+ 	 */
+ 	if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
++		if (len < 2) {
++			wpa_printf(MSG_DEBUG,
++				   "EAP-pwd: Frame too short to contain Total-Length field");
++			return;
++		}
+ 		tot_len = WPA_GET_BE16(pos);
+ 		wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total "
+ 			   "length = %d", tot_len);
+ 		if (tot_len > 15000)
+ 			return;
++		if (data->inbuf) {
++			wpa_printf(MSG_DEBUG,
++				   "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
++			return;
++		}
+ 		data->inbuf = wpabuf_alloc(tot_len);
+ 		if (data->inbuf == NULL) {
+ 			wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "
+-- 
+1.9.1
+