diff options
| author | Leo Famulari <leo@famulari.name> | 2022-01-19 15:20:26 -0500 |
|---|---|---|
| committer | Tobias Geerinckx-Rice <me@tobias.gr> | 2022-01-16 01:00:05 +0100 |
| commit | d331bd0a39fd3604581e3c5f15875b7733aad495 (patch) | |
| tree | f16feda22598fa3260e29d40525cabbf41113559 /gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch | |
| parent | ab4cdfe7c2a3f6dfca8c6241ffa31e21865344dc (diff) | |
gnu: wpa-wupplicant: Update to 2.10 [security fixes].
See the upstream advisory for more information on the security fixes
contained in these updates:
https://w1.fi/security/2022-1/sae-eap-pwd-side-channel-attack-update-2.txt
* gnu/packages/admin.scm (wpa-supplicant-minimal): Update to 2.10.
[source]: Remove obsolete patches.
* gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch,
gnu/packages/patches/wpa-supplicant-CVE-2021-30004.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
Signed-off-by: Tobias Geerinckx-Rice <me@tobias.gr>
Diffstat (limited to 'gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch')
| -rw-r--r-- | gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch | 50 |
1 files changed, 0 insertions, 50 deletions
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch b/gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch deleted file mode 100644 index 1942bb3d55..0000000000 --- a/gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Tue, 8 Dec 2020 23:52:50 +0200 -Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request - -p2p_add_device() may remove the oldest entry if there is no room in the -peer table for a new peer. This would result in any pointer to that -removed entry becoming stale. A corner case with an invalid PD Request -frame could result in such a case ending up using (read+write) freed -memory. This could only by triggered when the peer table has reached its -maximum size and the PD Request frame is received from the P2P Device -Address of the oldest remaining entry and the frame has incorrect P2P -Device Address in the payload. - -Fix this by fetching the dev pointer again after having called -p2p_add_device() so that the stale pointer cannot be used. - -Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> ---- - src/p2p/p2p_pd.c | 12 +++++------- - 1 file changed, 5 insertions(+), 7 deletions(-) - -diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c -index 3994ec03f86b..05fd593494ef 100644 ---- a/src/p2p/p2p_pd.c -+++ b/src/p2p/p2p_pd.c -@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, - goto out; - } - -+ dev = p2p_get_device(p2p, sa); - if (!dev) { -- dev = p2p_get_device(p2p, sa); -- if (!dev) { -- p2p_dbg(p2p, -- "Provision Discovery device not found " -- MACSTR, MAC2STR(sa)); -- goto out; -- } -+ p2p_dbg(p2p, -+ "Provision Discovery device not found " -+ MACSTR, MAC2STR(sa)); -+ goto out; - } - } else if (msg.wfd_subelems) { - wpabuf_free(dev->info.wfd_subelems); --- -2.25.1 - |