Date: Wed, 24 Mar 2021 08:58:29 GMT From: Cy Schubert <cy@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 3c2224758fc0 - stable/12 - MFC eeb26cf52c4c51e1571253d57684c442aa79a98d: Message-ID: <202103240858.12O8wTso033275@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/12 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=3c2224758fc07c72da28c1a2359420c77e8e5d05 commit 3c2224758fc07c72da28c1a2359420c77e8e5d05 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2021-03-17 00:06:17 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2021-03-24 08:57:11 +0000 MFC eeb26cf52c4c51e1571253d57684c442aa79a98d: wpa: import fix for P2P provision discovery processing vulnerability Latest version available from: https://w1.fi/security/2021-1/ Vulnerability A vulnerability was discovered in how wpa_supplicant processes P2P (Wi-Fi Direct) provision discovery requests. Under a corner case condition, an invalid Provision Discovery Request frame could end up reaching a state where the oldest peer entry needs to be removed. With a suitably constructed invalid frame, this could result in use (read+write) of freed memory. This can result in an attacker within radio range of the device running P2P discovery being able to cause unexpected behavior, including termination of the wpa_supplicant process and potentially code execution. Vulnerable versions/configurations wpa_supplicant v1.0-v2.9 with CONFIG_P2P build option enabled An attacker (or a system controlled by the attacker) needs to be within radio range of the vulnerable system to send a set of suitably constructed management frames that trigger the corner case to be reached in the management of the P2P peer table. Note: FreeBSD base does not enable P2P. (cherry picked from commit eeb26cf52c4c51e1571253d57684c442aa79a98d) --- contrib/wpa/src/p2p/p2p_pd.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/contrib/wpa/src/p2p/p2p_pd.c b/contrib/wpa/src/p2p/p2p_pd.c index 3994ec03f86b..05fd593494ef 100644 --- a/contrib/wpa/src/p2p/p2p_pd.c +++ b/contrib/wpa/src/p2p/p2p_pd.c @@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, goto out; } + dev = p2p_get_device(p2p, sa); if (!dev) { - dev = p2p_get_device(p2p, sa); - if (!dev) { - p2p_dbg(p2p, - "Provision Discovery device not found " - MACSTR, MAC2STR(sa)); - goto out; - } + p2p_dbg(p2p, + "Provision Discovery device not found " + MACSTR, MAC2STR(sa)); + goto out; } } else if (msg.wfd_subelems) { wpabuf_free(dev->info.wfd_subelems);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202103240858.12O8wTso033275>