Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 8 Jun 2020 20:37:52 +0000 (UTC)
From:      Cy Schubert <cy@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org
Subject:   svn commit: r361937 - vendor/wpa/dist/src/wps
Message-ID:  <202006082037.058KbqgT051264@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: cy
Date: Mon Jun  8 20:37:52 2020
New Revision: 361937
URL: https://svnweb.freebsd.org/changeset/base/361937

Log:
  Upstream commit message:
  
  [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL path
  
  More than about 700 character URL ended up overflowing the wpabuf used
  for building the event notification and this resulted in the wpabuf
  buffer overflow checks terminating the hostapd process. Fix this by
  allocating the buffer to be large enough to contain the full URL path.
  However, since that around 700 character limit has been the practical
  limit for more than ten years, start explicitly enforcing that as the
  limit or the callback URLs since any longer ones had not worked before
  and there is no need to enable them now either.
  
  Obtained from:	https://w1.fi/security/2020-1/\
  	0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
  Security:	VU#339275 and CVE-2020-12695

Modified:
  vendor/wpa/dist/src/wps/wps_upnp.c
  vendor/wpa/dist/src/wps/wps_upnp_event.c

Modified: vendor/wpa/dist/src/wps/wps_upnp.c
==============================================================================
--- vendor/wpa/dist/src/wps/wps_upnp.c	Mon Jun  8 20:35:03 2020	(r361936)
+++ vendor/wpa/dist/src/wps/wps_upnp.c	Mon Jun  8 20:37:52 2020	(r361937)
@@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s
 	int rerr;
 	size_t host_len, path_len;
 
-	/* url MUST begin with http: */
-	if (url_len < 7 || os_strncasecmp(url, "http://", 7))
+	/* URL MUST begin with HTTP scheme. In addition, limit the length of
+	 * the URL to 700 characters which is around the limit that was
+	 * implicitly enforced for more than 10 years due to a bug in
+	 * generating the event messages. */
+	if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) {
+		wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
 		goto fail;
+	}
 	url += 7;
 	url_len -= 7;
 

Modified: vendor/wpa/dist/src/wps/wps_upnp_event.c
==============================================================================
--- vendor/wpa/dist/src/wps/wps_upnp_event.c	Mon Jun  8 20:35:03 2020	(r361936)
+++ vendor/wpa/dist/src/wps/wps_upnp_event.c	Mon Jun  8 20:37:52 2020	(r361937)
@@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_
 	struct wpabuf *buf;
 	char *b;
 
-	buf = wpabuf_alloc(1000 + wpabuf_len(e->data));
+	buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
+			   wpabuf_len(e->data));
 	if (buf == NULL)
 		return NULL;
 	wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202006082037.058KbqgT051264>