[hostapd/f17] EAP-TLS: Add extra validation for TLS Message Length
John W. Linville
linville at fedoraproject.org
Mon Oct 8 18:15:36 UTC 2012
commit 697dfc97ad6a3ffd17c402540ee2edf043445310
Author: John W. Linville <linville at tuxdriver.com>
Date: Mon Oct 8 13:41:39 2012 -0400
EAP-TLS: Add extra validation for TLS Message Length
...-server-Fix-TLS-Message-Length-validation.patch | 48 ++++++++++++++++++++
hostapd.spec | 10 ++++-
2 files changed, 57 insertions(+), 1 deletions(-)
---
diff --git a/hostapd-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch b/hostapd-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch
new file mode 100644
index 0000000..f550d7a
--- /dev/null
+++ b/hostapd-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch
@@ -0,0 +1,48 @@
+From 586c446e0ff42ae00315b014924ec669023bd8de Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j at w1.fi>
+Date: Sun, 7 Oct 2012 20:06:29 +0300
+Subject: [PATCH] EAP-TLS server: Fix TLS Message Length validation
+
+EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
+Message Length value properly and could end up trying to store more
+information into the message buffer than the allocated size if the first
+fragment is longer than the indicated size. This could result in hostapd
+process terminating in wpabuf length validation. Fix this by rejecting
+messages that have invalid TLS Message Length value.
+
+This would affect cases that use the internal EAP authentication server
+in hostapd either directly with IEEE 802.1X or when using hostapd as a
+RADIUS authentication server and when receiving an incorrectly
+constructed EAP-TLS message. Cases where hostapd uses an external
+authentication are not affected.
+
+Thanks to Timo Warns for finding and reporting this issue.
+
+Signed-hostap: Jouni Malinen <j at w1.fi>
+intended-for: hostap-1
+---
+ src/eap_server/eap_server_tls_common.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
+index 31be2ec..46f282b 100644
+--- a/src/eap_server/eap_server_tls_common.c
++++ b/src/eap_server/eap_server_tls_common.c
+@@ -228,6 +228,14 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
+ return -1;
+ }
+
++ if (len > message_length) {
++ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
++ "first fragment of frame (TLS Message "
++ "Length %d bytes)",
++ (int) len, (int) message_length);
++ return -1;
++ }
++
+ data->tls_in = wpabuf_alloc(message_length);
+ if (data->tls_in == NULL) {
+ wpa_printf(MSG_DEBUG, "SSL: No memory for message");
+--
+1.7.11.4
+
diff --git a/hostapd.spec b/hostapd.spec
index ccd954b..4640404 100644
--- a/hostapd.spec
+++ b/hostapd.spec
@@ -1,6 +1,6 @@
Name: hostapd
Version: 0.7.3
-Release: 9%{?dist}
+Release: 10%{?dist}
Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
Group: System Environment/Daemons
License: BSD
@@ -11,6 +11,7 @@ Source1: %{name}.service
Source2: %{name}.conf
Source3: %{name}.sysconfig
Patch0: hostapd-RPM_OPT_FLAGS.patch
+Patch1: hostapd-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch
BuildRequires: libnl-devel >= 1.1
BuildRequires: openssl-devel
@@ -47,6 +48,10 @@ Logwatch scripts for hostapd
# Hack Makefile to allow use of RPM_OPT_FLAGS
%patch0 -p1
+# git://w1.fi/srv/git/hostap.git
+# commit 586c446e0ff42ae00315b014924ec669023bd8de
+%patch1 -p1
+
# Prepare default config file
cat %{SOURCE2} | sed -e 's/HOSTAPD_VERSION/'%{version}'/' > hostapd.conf
@@ -163,6 +168,9 @@ fi
%changelog
+* Mon Oct 8 2012 John W. Linville <linville at redhat.com> - 0.7.3-10
+- EAP-TLS: Add extra validation for TLS Message Length
+
* Fri Jun 8 2012 John W. Linville <linville at redhat.com> - 0.7.3-9
- Remove hostapd-specific runtime state directory
More information about the scm-commits
mailing list