diff options
| author | Mark H Weaver <[email protected]> | 2015-10-08 08:42:13 -0400 |
|---|---|---|
| committer | Mark H Weaver <[email protected]> | 2015-10-08 09:15:30 -0400 |
| commit | e91e28d60c66362b7114d7a3ed7809609f2c1b4b (patch) | |
| tree | 38800abdc57a795673d6b71385703f2ac8421b26 /gnu/packages/patches/wpa-supplicant-2015-4-fix-pt4.patch | |
| parent | 797e1401feda5c32c67c2069afdbdc29792dfa78 (diff) | |
gnu: wpa-supplicant: Update to 2.5.
* gnu/packages/patches/wpa-supplicant-2015-2-fix.patch,
gnu/packages/patches/wpa-supplicant-2015-3-fix.patch,
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt1.patch,
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt2.patch,
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt3.patch,
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt4.patch,
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt5.patch,
gnu/packages/patches/wpa-supplicant-2015-5-fix.patch,
gnu/packages/patches/wpa-supplicant-CVE-2015-1863.patch: Delete files.
* gnu-system.am (dist_patch_DATA): Remove them.
* gnu/packages/admin.scm (wpa-supplicant-minimal): Update to 2.5.
Remove patches.
Diffstat (limited to 'gnu/packages/patches/wpa-supplicant-2015-4-fix-pt4.patch')
| -rw-r--r-- | gnu/packages/patches/wpa-supplicant-2015-4-fix-pt4.patch | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/gnu/packages/patches/wpa-supplicant-2015-4-fix-pt4.patch b/gnu/packages/patches/wpa-supplicant-2015-4-fix-pt4.patch deleted file mode 100644 index 3d945382bc..0000000000 --- a/gnu/packages/patches/wpa-supplicant-2015-4-fix-pt4.patch +++ /dev/null @@ -1,52 +0,0 @@ -Patch copied from http://w1.fi/security/2015-4/ - -From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <[email protected]> -Date: Sat, 2 May 2015 19:26:06 +0300 -Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment - reassembly - -The remaining number of bytes in the message could be smaller than the -Total-Length field size, so the length needs to be explicitly checked -prior to reading the field and decrementing the len variable. This could -have resulted in the remaining length becoming negative and interpreted -as a huge positive integer. - -In addition, check that there is no already started fragment in progress -before allocating a new buffer for reassembling fragments. This avoid a -potential memory leak when processing invalid message. - -Signed-off-by: Jouni Malinen <[email protected]> ---- - src/eap_server/eap_server_pwd.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c -index 3189105..2bfc3c2 100644 ---- a/src/eap_server/eap_server_pwd.c -+++ b/src/eap_server/eap_server_pwd.c -@@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, - * the first fragment has a total length - */ - if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { -+ if (len < 2) { -+ wpa_printf(MSG_DEBUG, -+ "EAP-pwd: Frame too short to contain Total-Length field"); -+ return; -+ } - tot_len = WPA_GET_BE16(pos); - wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total " - "length = %d", tot_len); - if (tot_len > 15000) - return; -+ if (data->inbuf) { -+ wpa_printf(MSG_DEBUG, -+ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); -+ return; -+ } - data->inbuf = wpabuf_alloc(tot_len); - if (data->inbuf == NULL) { - wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to " --- -1.9.1 - |