package/network/services/hostapd/patches/013-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch

   1 From 95577884ca4fa76be91344ff7a8d5d1e6dc3da61 Mon Sep 17 00:00:00 2001
   2 From: Jouni Malinen <j@w1.fi>
   3 Date: Sun, 1 Nov 2015 19:35:44 +0200
   4 Subject: [PATCH] EAP-pwd peer: Fix error path for unexpected Confirm message
   5
   6 If the Confirm message is received from the server before the Identity
   7 exchange has been completed, the group has not yet been determined and
   8 data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
   9 did not take this corner case into account and could end up
  10 dereferencing a NULL pointer and terminating the process if invalid
  11 message sequence is received. (CVE-2015-5316)
  12
  13 Signed-off-by: Jouni Malinen <j@w1.fi>
  14 ---
  15  src/eap_peer/eap_pwd.c | 3 ++-
  16  1 file changed, 2 insertions(+), 1 deletion(-)
  17
  18 diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
  19 index 75ceef1..892b590 100644
  20 --- a/src/eap_peer/eap_pwd.c
  21 +++ b/src/eap_peer/eap_pwd.c
  22 @@ -774,7 +774,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
  23         wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);
  24
  25  fin:
  26 -       bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
  27 +       if (data->grp)
  28 +               bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
  29         BN_clear_free(x);
  30         BN_clear_free(y);
  31         if (data->outbuf == NULL) {
  32 --
  33 1.9.1
  34