| This patch combines the following upstream security fixes: |
| |
| 28a069a545b0 EAP-pwd peer: Fix asymmetric fragmentation behavior |
| 3035cc2894e0 EAP-pwd server: Fix Total-Length parsing for fragment reassembly |
| 477c74395acd EAP-pwd peer: Fix Total-Length parsing for fragment reassembly |
| e28a58be2618 EAP-pwd server: Fix payload length validation for Commit and Confirm |
| dd2f043c9c43 EAP-pwd peer: Fix payload length validation for Commit and Confirm |
| |
| Details at |
| http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt |
| |
| Signed-off-by: Baruch Siach <baruch@tkos.co.il> |
| --- |
| diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c |
| index f2b092669a42..e58b13a42f73 100644 |
| --- a/src/eap_peer/eap_pwd.c |
| +++ b/src/eap_peer/eap_pwd.c |
| @@ -355,6 +355,23 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, |
| BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL; |
| u16 offset; |
| u8 *ptr, *scalar = NULL, *element = NULL; |
| + size_t prime_len, order_len; |
| + |
| + if (data->state != PWD_Commit_Req) { |
| + ret->ignore = TRUE; |
| + goto fin; |
| + } |
| + |
| + prime_len = BN_num_bytes(data->grp->prime); |
| + order_len = BN_num_bytes(data->grp->order); |
| + |
| + if (payload_len != 2 * prime_len + order_len) { |
| + wpa_printf(MSG_INFO, |
| + "EAP-pwd: Unexpected Commit payload length %u (expected %u)", |
| + (unsigned int) payload_len, |
| + (unsigned int) (2 * prime_len + order_len)); |
| + goto fin; |
| + } |
| |
| if (((data->private_value = BN_new()) == NULL) || |
| ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) || |
| @@ -554,6 +571,18 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, |
| u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; |
| int offset; |
| |
| + if (data->state != PWD_Confirm_Req) { |
| + ret->ignore = TRUE; |
| + goto fin; |
| + } |
| + |
| + if (payload_len != SHA256_MAC_LEN) { |
| + wpa_printf(MSG_INFO, |
| + "EAP-pwd: Unexpected Confirm payload length %u (expected %u)", |
| + (unsigned int) payload_len, SHA256_MAC_LEN); |
| + goto fin; |
| + } |
| + |
| /* |
| * first build up the ciphersuite which is group | random_function | |
| * prf |
| @@ -837,11 +866,23 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, |
| * if it's the first fragment there'll be a length field |
| */ |
| if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { |
| + if (len < 2) { |
| + wpa_printf(MSG_DEBUG, |
| + "EAP-pwd: Frame too short to contain Total-Length field"); |
| + ret->ignore = TRUE; |
| + return NULL; |
| + } |
| tot_len = WPA_GET_BE16(pos); |
| wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose " |
| "total length = %d", tot_len); |
| if (tot_len > 15000) |
| return NULL; |
| + if (data->inbuf) { |
| + wpa_printf(MSG_DEBUG, |
| + "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); |
| + ret->ignore = TRUE; |
| + return NULL; |
| + } |
| data->inbuf = wpabuf_alloc(tot_len); |
| if (data->inbuf == NULL) { |
| wpa_printf(MSG_INFO, "Out of memory to buffer " |
| @@ -927,6 +968,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, |
| /* |
| * we have output! Do we need to fragment it? |
| */ |
| + lm_exch = EAP_PWD_GET_EXCHANGE(lm_exch); |
| len = wpabuf_len(data->outbuf); |
| if ((len + EAP_PWD_HDR_SIZE) > data->mtu) { |
| resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, data->mtu, |
| diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c |
| index 66bd5d2e9179..2bfc3c27647d 100644 |
| --- a/src/eap_server/eap_server_pwd.c |
| +++ b/src/eap_server/eap_server_pwd.c |
| @@ -656,9 +656,21 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, |
| BIGNUM *x = NULL, *y = NULL, *cofactor = NULL; |
| EC_POINT *K = NULL, *point = NULL; |
| int res = 0; |
| + size_t prime_len, order_len; |
| |
| wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response"); |
| |
| + prime_len = BN_num_bytes(data->grp->prime); |
| + order_len = BN_num_bytes(data->grp->order); |
| + |
| + if (payload_len != 2 * prime_len + order_len) { |
| + wpa_printf(MSG_INFO, |
| + "EAP-pwd: Unexpected Commit payload length %u (expected %u)", |
| + (unsigned int) payload_len, |
| + (unsigned int) (2 * prime_len + order_len)); |
| + goto fin; |
| + } |
| + |
| if (((data->peer_scalar = BN_new()) == NULL) || |
| ((data->k = BN_new()) == NULL) || |
| ((cofactor = BN_new()) == NULL) || |
| @@ -774,6 +786,13 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, |
| u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; |
| int offset; |
| |
| + if (payload_len != SHA256_MAC_LEN) { |
| + wpa_printf(MSG_INFO, |
| + "EAP-pwd: Unexpected Confirm payload length %u (expected %u)", |
| + (unsigned int) payload_len, SHA256_MAC_LEN); |
| + goto fin; |
| + } |
| + |
| /* build up the ciphersuite: group | random_function | prf */ |
| grp = htons(data->group_num); |
| ptr = (u8 *) &cs; |
| @@ -923,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, |
| * the first fragment has a total length |
| */ |
| if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { |
| + if (len < 2) { |
| + wpa_printf(MSG_DEBUG, |
| + "EAP-pwd: Frame too short to contain Total-Length field"); |
| + return; |
| + } |
| tot_len = WPA_GET_BE16(pos); |
| wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total " |
| "length = %d", tot_len); |
| if (tot_len > 15000) |
| return; |
| + if (data->inbuf) { |
| + wpa_printf(MSG_DEBUG, |
| + "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); |
| + return; |
| + } |
| data->inbuf = wpabuf_alloc(tot_len); |
| if (data->inbuf == NULL) { |
| wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to " |