From 0ba93a71c2d109ee65457ef8a37fc9d5ca30a2d0 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 29 2022 18:54:44 +0000 Subject: import wpa_supplicant-2.10-1.el8 --- diff --git a/.gitignore b/.gitignore index 1111241..09da52a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/wpa_supplicant-2.9.tar.gz +SOURCES/wpa_supplicant-2.10.tar.gz diff --git a/.wpa_supplicant.metadata b/.wpa_supplicant.metadata index 47c5168..1466ec4 100644 --- a/.wpa_supplicant.metadata +++ b/.wpa_supplicant.metadata @@ -1 +1 @@ -b784c0e5e56889c81d027757a4623659bf15f9a8 SOURCES/wpa_supplicant-2.9.tar.gz +e295b07d599da4b99c3836d4402ec5746f77e8e8 SOURCES/wpa_supplicant-2.10.tar.gz diff --git a/SOURCES/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch b/SOURCES/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch deleted file mode 100644 index d764a9d..0000000 --- a/SOURCES/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Thu, 29 Aug 2019 11:52:04 +0300 -Subject: [PATCH] AP: Silently ignore management frame from unexpected source - address - -Do not process any received Management frames with unexpected/invalid SA -so that we do not add any state for unexpected STA addresses or end up -sending out frames to unexpected destination. This prevents unexpected -sequences where an unprotected frame might end up causing the AP to send -out a response to another device and that other device processing the -unexpected response. - -In particular, this prevents some potential denial of service cases -where the unexpected response frame from the AP might result in a -connected station dropping its association. - -Signed-off-by: Jouni Malinen ---- - src/ap/drv_callbacks.c | 13 +++++++++++++ - src/ap/ieee802_11.c | 12 ++++++++++++ - 2 files changed, 25 insertions(+) - -diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c -index 31587685fe3b..34ca379edc3d 100644 ---- a/src/ap/drv_callbacks.c -+++ b/src/ap/drv_callbacks.c -@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, - "hostapd_notif_assoc: Skip event with no address"); - return -1; - } -+ -+ if (is_multicast_ether_addr(addr) || -+ is_zero_ether_addr(addr) || -+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { -+ /* Do not process any frames with unexpected/invalid SA so that -+ * we do not add any state for unexpected STA addresses or end -+ * up sending out frames to unexpected destination. */ -+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR -+ " in received indication - ignore this indication silently", -+ __func__, MAC2STR(addr)); -+ return 0; -+ } -+ - random_add_randomness(addr, ETH_ALEN); - - hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, -diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c -index c85a28db44b7..e7065372e158 100644 ---- a/src/ap/ieee802_11.c -+++ b/src/ap/ieee802_11.c -@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, - fc = le_to_host16(mgmt->frame_control); - stype = WLAN_FC_GET_STYPE(fc); - -+ if (is_multicast_ether_addr(mgmt->sa) || -+ is_zero_ether_addr(mgmt->sa) || -+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { -+ /* Do not process any frames with unexpected/invalid SA so that -+ * we do not add any state for unexpected STA addresses or end -+ * up sending out frames to unexpected destination. */ -+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR -+ " in received frame - ignore this frame silently", -+ MAC2STR(mgmt->sa)); -+ return 0; -+ } -+ - if (stype == WLAN_FC_STYPE_BEACON) { - handle_beacon(hapd, mgmt, len, fi); - return 1; --- -2.20.1 - diff --git a/SOURCES/build-config b/SOURCES/build-config index 6d7aa43..ab7ff50 100644 --- a/SOURCES/build-config +++ b/SOURCES/build-config @@ -44,3 +44,4 @@ CONFIG_OWE=y CONFIG_DPP=y CONFIG_WIFI_DISPLAY=y CONFIG_SUITEB192=y +CONFIG_WEP=Y diff --git a/SOURCES/wpa_supplicant-D-Bus-Allow-changing-an-interface-bridge-via-D-Bus.patch b/SOURCES/wpa_supplicant-D-Bus-Allow-changing-an-interface-bridge-via-D-Bus.patch deleted file mode 100644 index 4da577e..0000000 --- a/SOURCES/wpa_supplicant-D-Bus-Allow-changing-an-interface-bridge-via-D-Bus.patch +++ /dev/null @@ -1,200 +0,0 @@ -From 1c58317f56e312576b6872440f125f794e45f991 Mon Sep 17 00:00:00 2001 -Message-Id: <1c58317f56e312576b6872440f125f794e45f991.1602774933.git.davide.caratti@gmail.com> -From: Beniamino Galvani -Date: Wed, 30 Sep 2020 18:34:36 +0200 -Subject: [PATCH] D-Bus: Allow changing an interface bridge via D-Bus - -D-Bus clients can call CreateInterface() once and use the resulting -Interface object to connect multiple times to different networks. - -However, if the network interface gets added to a bridge, clients -currently have to remove the Interface object and create a new one. - -Improve this by supporting the change of the BridgeIfname property of -an existing Interface object. - -Signed-off-by: Beniamino Galvani ---- - src/rsn_supp/tdls.c | 5 +++ - wpa_supplicant/dbus/dbus_new.c | 2 +- - wpa_supplicant/dbus/dbus_new_handlers.c | 37 ++++++++++++++++ - wpa_supplicant/dbus/dbus_new_handlers.h | 1 + - wpa_supplicant/wpa_supplicant.c | 59 +++++++++++++++++++++++++ - wpa_supplicant/wpa_supplicant_i.h | 2 + - 6 files changed, 105 insertions(+), 1 deletion(-) - -diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c -index 7b47e3ac5..eff8cd829 100644 ---- a/src/rsn_supp/tdls.c -+++ b/src/rsn_supp/tdls.c -@@ -2807,6 +2807,11 @@ int wpa_tdls_init(struct wpa_sm *sm) - if (sm == NULL) - return -1; - -+ if (sm->l2_tdls) { -+ l2_packet_deinit(sm->l2_tdls); -+ sm->l2_tdls = NULL; -+ } -+ - sm->l2_tdls = l2_packet_init(sm->bridge_ifname ? sm->bridge_ifname : - sm->ifname, - sm->own_addr, -diff --git a/wpa_supplicant/dbus/dbus_new.c b/wpa_supplicant/dbus/dbus_new.c -index 793a881ef..ab7628f87 100644 ---- a/wpa_supplicant/dbus/dbus_new.c -+++ b/wpa_supplicant/dbus/dbus_new.c -@@ -3613,7 +3613,7 @@ static const struct wpa_dbus_property_desc wpas_dbus_interface_properties[] = { - }, - { "BridgeIfname", WPAS_DBUS_NEW_IFACE_INTERFACE, "s", - wpas_dbus_getter_bridge_ifname, -- NULL, -+ wpas_dbus_setter_bridge_ifname, - NULL - }, - { "ConfigFile", WPAS_DBUS_NEW_IFACE_INTERFACE, "s", -diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c -index 34abab752..2cfc87fa8 100644 ---- a/wpa_supplicant/dbus/dbus_new_handlers.c -+++ b/wpa_supplicant/dbus/dbus_new_handlers.c -@@ -3635,6 +3635,43 @@ dbus_bool_t wpas_dbus_getter_bridge_ifname( - } - - -+dbus_bool_t wpas_dbus_setter_bridge_ifname( -+ const struct wpa_dbus_property_desc *property_desc, -+ DBusMessageIter *iter, DBusError *error, void *user_data) -+{ -+ struct wpa_supplicant *wpa_s = user_data; -+ const char *bridge_ifname = NULL; -+ const char *msg; -+ int r; -+ -+ if (!wpas_dbus_simple_property_setter(iter, error, DBUS_TYPE_STRING, -+ &bridge_ifname)) -+ return FALSE; -+ -+ r = wpa_supplicant_update_bridge_ifname(wpa_s, bridge_ifname); -+ if (r != 0) { -+ switch (r) { -+ case -EINVAL: -+ msg = "invalid interface name"; -+ break; -+ case -EBUSY: -+ msg = "interface is busy"; -+ break; -+ case -EIO: -+ msg = "socket error"; -+ break; -+ default: -+ msg = "unknown error"; -+ break; -+ } -+ dbus_set_error_const(error, DBUS_ERROR_FAILED, msg); -+ return FALSE; -+ } -+ -+ return TRUE; -+} -+ -+ - /** - * wpas_dbus_getter_config_file - Get interface configuration file path - * @iter: Pointer to incoming dbus message iter -diff --git a/wpa_supplicant/dbus/dbus_new_handlers.h b/wpa_supplicant/dbus/dbus_new_handlers.h -index afa26efed..d528c0816 100644 ---- a/wpa_supplicant/dbus/dbus_new_handlers.h -+++ b/wpa_supplicant/dbus/dbus_new_handlers.h -@@ -167,6 +167,7 @@ DECLARE_ACCESSOR(wpas_dbus_setter_scan_interval); - DECLARE_ACCESSOR(wpas_dbus_getter_ifname); - DECLARE_ACCESSOR(wpas_dbus_getter_driver); - DECLARE_ACCESSOR(wpas_dbus_getter_bridge_ifname); -+DECLARE_ACCESSOR(wpas_dbus_setter_bridge_ifname); - DECLARE_ACCESSOR(wpas_dbus_getter_config_file); - DECLARE_ACCESSOR(wpas_dbus_getter_current_bss); - DECLARE_ACCESSOR(wpas_dbus_getter_current_network); -diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c -index 39e92fb68..a7e9e459e 100644 ---- a/wpa_supplicant/wpa_supplicant.c -+++ b/wpa_supplicant/wpa_supplicant.c -@@ -4906,6 +4906,65 @@ static void wpa_supplicant_rx_eapol_bridge(void *ctx, const u8 *src_addr, - } - - -+int wpa_supplicant_update_bridge_ifname(struct wpa_supplicant *wpa_s, -+ const char *bridge_ifname) -+{ -+ if (wpa_s->wpa_state > WPA_SCANNING) -+ return -EBUSY; -+ -+ if (bridge_ifname && -+ os_strlen(bridge_ifname) >= sizeof(wpa_s->bridge_ifname)) -+ return -EINVAL; -+ -+ if (!bridge_ifname) -+ bridge_ifname = ""; -+ -+ if (os_strcmp(wpa_s->bridge_ifname, bridge_ifname) == 0) -+ return 0; -+ -+ if (wpa_s->l2_br) { -+ l2_packet_deinit(wpa_s->l2_br); -+ wpa_s->l2_br = NULL; -+ } -+ -+ os_strlcpy(wpa_s->bridge_ifname, bridge_ifname, -+ sizeof(wpa_s->bridge_ifname)); -+ -+ if (wpa_s->bridge_ifname[0]) { -+ wpa_dbg(wpa_s, MSG_DEBUG, -+ "Receiving packets from bridge interface '%s'", -+ wpa_s->bridge_ifname); -+ wpa_s->l2_br = l2_packet_init_bridge( -+ wpa_s->bridge_ifname, wpa_s->ifname, wpa_s->own_addr, -+ ETH_P_EAPOL, wpa_supplicant_rx_eapol_bridge, wpa_s, 1); -+ if (!wpa_s->l2_br) { -+ wpa_msg(wpa_s, MSG_ERROR, -+ "Failed to open l2_packet connection for the bridge interface '%s'", -+ wpa_s->bridge_ifname); -+ goto fail; -+ } -+ } -+ -+#ifdef CONFIG_TDLS -+ if (!wpa_s->p2p_mgmt && wpa_tdls_init(wpa_s->wpa)) -+ goto fail; -+#endif /* CONFIG_TDLS */ -+ -+ return 0; -+fail: -+ wpa_s->bridge_ifname[0] = 0; -+ if (wpa_s->l2_br) { -+ l2_packet_deinit(wpa_s->l2_br); -+ wpa_s->l2_br = NULL; -+ } -+#ifdef CONFIG_TDLS -+ if (!wpa_s->p2p_mgmt) -+ wpa_tdls_init(wpa_s->wpa); -+#endif /* CONFIG_TDLS */ -+ return -EIO; -+} -+ -+ - /** - * wpa_supplicant_driver_init - Initialize driver interface parameters - * @wpa_s: Pointer to wpa_supplicant data -diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h -index 31a9b7427..eac3491cc 100644 ---- a/wpa_supplicant/wpa_supplicant_i.h -+++ b/wpa_supplicant/wpa_supplicant_i.h -@@ -1351,6 +1351,8 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s); - const char * wpa_supplicant_state_txt(enum wpa_states state); - int wpa_supplicant_update_mac_addr(struct wpa_supplicant *wpa_s); - int wpa_supplicant_driver_init(struct wpa_supplicant *wpa_s); -+int wpa_supplicant_update_bridge_ifname(struct wpa_supplicant *wpa_s, -+ const char *bridge_ifname); - int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, - struct wpa_bss *bss, struct wpa_ssid *ssid, - u8 *wpa_ie, size_t *wpa_ie_len); --- -2.26.2 - diff --git a/SOURCES/wpa_supplicant-P2P-Always-use-global-p2p_long_listen.patch b/SOURCES/wpa_supplicant-P2P-Always-use-global-p2p_long_listen.patch deleted file mode 100644 index f967fb9..0000000 --- a/SOURCES/wpa_supplicant-P2P-Always-use-global-p2p_long_listen.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 9ad3c12dd1bf56824ef8b3425e057e8d1e84e69d Mon Sep 17 00:00:00 2001 -Message-Id: <9ad3c12dd1bf56824ef8b3425e057e8d1e84e69d.1602752483.git.davide.caratti@gmail.com> -From: Benjamin Berg -Date: Fri, 3 Jan 2020 22:18:51 +0100 -Subject: [PATCH] P2P: Always use global p2p_long_listen - -The p2p_long_listen value was set on the control wpa_s struct while in a -lot of cases it operated on the p2p struct. Explicitly use the global -p2p_init_wpa_s struct in cases where we might not be operating on it -already. - -Without this, simply starting a p2p_listen operation (e.g., using -wpa_cli) will not work properly. As the p2p_long_listen is set on the -controlling interface and wpas_p2p_cancel_remain_on_channel_cb() uses -p2p_init_wpa_s, it would not actually work. This results in -wpa_supplicant stopping listening after the maximum remain-on-channel -time passes when using a separate P2P Device interface. - -Signed-off-by: Benjamin Berg ---- - wpa_supplicant/p2p_supplicant.c | 19 ++++++++++--------- - 1 file changed, 10 insertions(+), 9 deletions(-) - -diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c -index 95bacec19..a7d3b7f1d 100644 ---- a/wpa_supplicant/p2p_supplicant.c -+++ b/wpa_supplicant/p2p_supplicant.c -@@ -2422,7 +2422,7 @@ static void wpas_go_neg_completed(void *ctx, struct p2p_go_neg_results *res) - wpas_start_wps_enrollee(group_wpa_s, res); - } - -- wpa_s->p2p_long_listen = 0; -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; - eloop_cancel_timeout(wpas_p2p_long_listen_timeout, wpa_s, NULL); - - eloop_cancel_timeout(wpas_p2p_group_formation_timeout, wpa_s, NULL); -@@ -4750,7 +4750,8 @@ void wpas_p2p_deinit(struct wpa_supplicant *wpa_s) - eloop_cancel_timeout(wpas_p2p_psk_failure_removal, wpa_s, NULL); - eloop_cancel_timeout(wpas_p2p_group_formation_timeout, wpa_s, NULL); - eloop_cancel_timeout(wpas_p2p_join_scan, wpa_s, NULL); -- wpa_s->p2p_long_listen = 0; -+ if (wpa_s->global->p2p_init_wpa_s) -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; - eloop_cancel_timeout(wpas_p2p_long_listen_timeout, wpa_s, NULL); - eloop_cancel_timeout(wpas_p2p_group_idle_timeout, wpa_s, NULL); - wpas_p2p_remove_pending_group_interface(wpa_s); -@@ -5635,7 +5636,7 @@ int wpas_p2p_connect(struct wpa_supplicant *wpa_s, const u8 *peer_addr, - go_intent = wpa_s->conf->p2p_go_intent; - - if (!auth) -- wpa_s->p2p_long_listen = 0; -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; - - wpa_s->p2p_wps_method = wps_method; - wpa_s->p2p_persistent_group = !!persistent_group; -@@ -6952,7 +6953,7 @@ int wpas_p2p_find(struct wpa_supplicant *wpa_s, unsigned int timeout, - u8 seek_cnt, const char **seek_string, int freq) - { - wpas_p2p_clear_pending_action_tx(wpa_s); -- wpa_s->p2p_long_listen = 0; -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; - - if (wpa_s->global->p2p_disabled || wpa_s->global->p2p == NULL || - wpa_s->p2p_in_provisioning) { -@@ -6997,7 +6998,7 @@ static void wpas_p2p_scan_res_ignore_search(struct wpa_supplicant *wpa_s, - static void wpas_p2p_stop_find_oper(struct wpa_supplicant *wpa_s) - { - wpas_p2p_clear_pending_action_tx(wpa_s); -- wpa_s->p2p_long_listen = 0; -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; - eloop_cancel_timeout(wpas_p2p_long_listen_timeout, wpa_s, NULL); - eloop_cancel_timeout(wpas_p2p_join_scan, wpa_s, NULL); - -@@ -7023,7 +7024,7 @@ void wpas_p2p_stop_find(struct wpa_supplicant *wpa_s) - static void wpas_p2p_long_listen_timeout(void *eloop_ctx, void *timeout_ctx) - { - struct wpa_supplicant *wpa_s = eloop_ctx; -- wpa_s->p2p_long_listen = 0; -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; - } - - -@@ -7052,7 +7053,7 @@ int wpas_p2p_listen(struct wpa_supplicant *wpa_s, unsigned int timeout) - timeout = 3600; - } - eloop_cancel_timeout(wpas_p2p_long_listen_timeout, wpa_s, NULL); -- wpa_s->p2p_long_listen = 0; -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; - - /* - * Stop previous find/listen operation to avoid trying to request a new -@@ -7064,7 +7065,7 @@ int wpas_p2p_listen(struct wpa_supplicant *wpa_s, unsigned int timeout) - - res = wpas_p2p_listen_start(wpa_s, timeout * 1000); - if (res == 0 && timeout * 1000 > wpa_s->max_remain_on_chan) { -- wpa_s->p2p_long_listen = timeout * 1000; -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = timeout * 1000; - eloop_register_timeout(timeout, 0, - wpas_p2p_long_listen_timeout, - wpa_s, NULL); -@@ -7171,7 +7172,7 @@ static void wpas_p2p_group_deinit(struct wpa_supplicant *wpa_s) - - int wpas_p2p_reject(struct wpa_supplicant *wpa_s, const u8 *addr) - { -- wpa_s->p2p_long_listen = 0; -+ wpa_s->global->p2p_init_wpa_s->p2p_long_listen = 0; - - if (wpa_s->global->p2p_disabled || wpa_s->global->p2p == NULL) - return -1; --- -2.26.2 - diff --git a/SOURCES/wpa_supplicant-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch b/SOURCES/wpa_supplicant-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch deleted file mode 100644 index 1942bb3..0000000 --- a/SOURCES/wpa_supplicant-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Tue, 8 Dec 2020 23:52:50 +0200 -Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request - -p2p_add_device() may remove the oldest entry if there is no room in the -peer table for a new peer. This would result in any pointer to that -removed entry becoming stale. A corner case with an invalid PD Request -frame could result in such a case ending up using (read+write) freed -memory. This could only by triggered when the peer table has reached its -maximum size and the PD Request frame is received from the P2P Device -Address of the oldest remaining entry and the frame has incorrect P2P -Device Address in the payload. - -Fix this by fetching the dev pointer again after having called -p2p_add_device() so that the stale pointer cannot be used. - -Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") -Signed-off-by: Jouni Malinen ---- - src/p2p/p2p_pd.c | 12 +++++------- - 1 file changed, 5 insertions(+), 7 deletions(-) - -diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c -index 3994ec03f86b..05fd593494ef 100644 ---- a/src/p2p/p2p_pd.c -+++ b/src/p2p/p2p_pd.c -@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, - goto out; - } - -+ dev = p2p_get_device(p2p, sa); - if (!dev) { -- dev = p2p_get_device(p2p, sa); -- if (!dev) { -- p2p_dbg(p2p, -- "Provision Discovery device not found " -- MACSTR, MAC2STR(sa)); -- goto out; -- } -+ p2p_dbg(p2p, -+ "Provision Discovery device not found " -+ MACSTR, MAC2STR(sa)); -+ goto out; - } - } else if (msg.wfd_subelems) { - wpabuf_free(dev->info.wfd_subelems); --- -2.25.1 - diff --git a/SOURCES/wpa_supplicant-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch b/SOURCES/wpa_supplicant-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch deleted file mode 100644 index 77a5eb9..0000000 --- a/SOURCES/wpa_supplicant-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001 -Message-Id: <947272febe24a8f0ea828b5b2f35f13c3821901e.1612435525.git.davide.caratti@gmail.com> -From: Jouni Malinen -Date: Mon, 9 Nov 2020 11:43:12 +0200 -Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group - client - -Parsing and copying of WPS secondary device types list was verifying -that the contents is not too long for the internal maximum in the case -of WPS messages, but similar validation was missing from the case of P2P -group information which encodes this information in a different -attribute. This could result in writing beyond the memory area assigned -for these entries and corrupting memory within an instance of struct -p2p_device. This could result in invalid operations and unexpected -behavior when trying to free pointers from that corrupted memory. - -Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 -Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers") -Signed-off-by: Jouni Malinen ---- - src/p2p/p2p.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c -index 74b7b52ae..5cbfc217f 100644 ---- a/src/p2p/p2p.c -+++ b/src/p2p/p2p.c -@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev, - dev->info.config_methods = cli->config_methods; - os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8); - dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types; -+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN) -+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN; - os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types, - dev->info.wps_sec_dev_type_list_len); - } --- -2.29.2 - diff --git a/SOURCES/wpa_supplicant-dbus-Export-OWE-capability-and-OWE-BSS-key_mgmt.patch b/SOURCES/wpa_supplicant-dbus-Export-OWE-capability-and-OWE-BSS-key_mgmt.patch deleted file mode 100644 index 30a07e4..0000000 --- a/SOURCES/wpa_supplicant-dbus-Export-OWE-capability-and-OWE-BSS-key_mgmt.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 7800725afb27397f7d6033d4969e2aeb61af4737 Mon Sep 17 00:00:00 2001 -Message-Id: <7800725afb27397f7d6033d4969e2aeb61af4737.1602780273.git.davide.caratti@gmail.com> -From: Beniamino Galvani -Date: Sun, 13 Oct 2019 15:18:54 +0200 -Subject: [PATCH] dbus: Export OWE capability and OWE BSS key_mgmt - -Export a new 'owe' capability to indicate that wpa_supplicant was -built with OWE support and accepts 'key_mgmt=OWE'. Also, support 'owe' -in the array of BSS' available key managements. - -Signed-off-by: Beniamino Galvani ---- - wpa_supplicant/dbus/dbus_new_handlers.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c -index d2c84e5c5..1206c3cde 100644 ---- a/wpa_supplicant/dbus/dbus_new_handlers.c -+++ b/wpa_supplicant/dbus/dbus_new_handlers.c -@@ -984,8 +984,7 @@ dbus_bool_t wpas_dbus_getter_global_capabilities( - const struct wpa_dbus_property_desc *property_desc, - DBusMessageIter *iter, DBusError *error, void *user_data) - { -- const char *capabilities[10] = { NULL, NULL, NULL, NULL, NULL, NULL, -- NULL, NULL, NULL, NULL }; -+ const char *capabilities[11]; - size_t num_items = 0; - #ifdef CONFIG_FILS - struct wpa_global *global = user_data; -@@ -1028,6 +1027,9 @@ dbus_bool_t wpas_dbus_getter_global_capabilities( - #ifdef CONFIG_SHA384 - capabilities[num_items++] = "sha384"; - #endif /* CONFIG_SHA384 */ -+#ifdef CONFIG_OWE -+ capabilities[num_items++] = "owe"; -+#endif /* CONFIG_OWE */ - - return wpas_dbus_simple_array_property_getter(iter, - DBUS_TYPE_STRING, -@@ -4491,7 +4493,7 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop( - DBusMessageIter iter_dict, variant_iter; - const char *group; - const char *pairwise[5]; /* max 5 pairwise ciphers is supported */ -- const char *key_mgmt[15]; /* max 15 key managements may be supported */ -+ const char *key_mgmt[16]; /* max 16 key managements may be supported */ - int n; - - if (!dbus_message_iter_open_container(iter, DBUS_TYPE_VARIANT, -@@ -4544,6 +4546,10 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop( - if (ie_data->key_mgmt & WPA_KEY_MGMT_FT_SAE) - key_mgmt[n++] = "ft-sae"; - #endif /* CONFIG_SAE */ -+#ifdef CONFIG_OWE -+ if (ie_data->key_mgmt & WPA_KEY_MGMT_OWE) -+ key_mgmt[n++] = "owe"; -+#endif /* CONFIG_OWE */ - if (ie_data->key_mgmt & WPA_KEY_MGMT_NONE) - key_mgmt[n++] = "wpa-none"; - --- -2.26.2 - diff --git a/SOURCES/wpa_supplicant-flush-debug-output.patch b/SOURCES/wpa_supplicant-flush-debug-output.patch index a686851..f2295bc 100644 --- a/SOURCES/wpa_supplicant-flush-debug-output.patch +++ b/SOURCES/wpa_supplicant-flush-debug-output.patch @@ -1,49 +1,35 @@ ---- wpa_supplicant-0.6.3/src/utils/wpa_debug.c.flush-debug 2007-07-30 23:15:34.000000000 -0400 -+++ wpa_supplicant-0.6.3/src/utils/wpa_debug.c 2007-07-30 23:17:06.000000000 -0400 -@@ -157,6 +157,7 @@ void wpa_debug_print_timestamp(void) - if (out_file) { +--- a/src/utils/wpa_debug.c ++++ b/src/utils/wpa_debug.c +@@ -79,6 +79,7 @@ void wpa_debug_print_timestamp(void) + if (out_file) fprintf(out_file, "%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec); -+ fflush(out_file); - } else ++ fflush(out_file); #endif /* CONFIG_DEBUG_FILE */ - printf("%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec); -@@ -185,6 +186,7 @@ void wpa_printf(int level, char *fmt, .. - if (out_file) { + if (!out_file && !wpa_debug_syslog) + printf("%ld.%06u: ", (long) tv.sec, (unsigned int) tv.usec); +@@ -230,6 +231,7 @@ void wpa_printf(int level, const char *f + va_start(ap, fmt); vfprintf(out_file, fmt, ap); fprintf(out_file, "\n"); + fflush(out_file); - } else { + va_end(ap); + } #endif /* CONFIG_DEBUG_FILE */ - vprintf(fmt, ap); -@@ -217,6 +219,7 @@ static void _wpa_hexdump(int level, cons +@@ -365,6 +367,7 @@ static void _wpa_hexdump(int level, cons fprintf(out_file, " [REMOVED]"); } fprintf(out_file, "\n"); + fflush(out_file); - } else { + } #endif /* CONFIG_DEBUG_FILE */ - printf("%s - hexdump(len=%lu):", title, (unsigned long) len); -@@ -262,12 +265,14 @@ static void _wpa_hexdump_ascii(int level - fprintf(out_file, - "%s - hexdump_ascii(len=%lu): [REMOVED]\n", - title, (unsigned long) len); -+ fflush(out_file); - return; - } - if (buf == NULL) { - fprintf(out_file, - "%s - hexdump_ascii(len=%lu): [NULL]\n", - title, (unsigned long) len); -+ fflush(out_file); - return; - } - fprintf(out_file, "%s - hexdump_ascii(len=%lu):\n", -@@ -292,6 +297,7 @@ static void _wpa_hexdump_ascii(int level - pos += llen; - len -= llen; + if (!wpa_debug_syslog && !out_file) { +@@ -468,6 +471,8 @@ static void _wpa_hexdump_ascii(int level } + } + file_done: ++ if (out_file) + fflush(out_file); - } else { #endif /* CONFIG_DEBUG_FILE */ - if (!show) { + if (!wpa_debug_syslog && !out_file) { + if (!show) { diff --git a/SOURCES/wpa_supplicant-gui-qt4.patch b/SOURCES/wpa_supplicant-gui-qt4.patch index c54cd9a..7acca1e 100644 --- a/SOURCES/wpa_supplicant-gui-qt4.patch +++ b/SOURCES/wpa_supplicant-gui-qt4.patch @@ -9,12 +9,10 @@ different locations. wpa_supplicant/Makefile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile -index ad9ead9..b19676d 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile -@@ -11,6 +11,9 @@ export INCDIR ?= /usr/local/include/ - export BINDIR ?= /usr/local/sbin/ +@@ -35,6 +35,9 @@ export INCDIR ?= /usr/local/include + export BINDIR ?= /usr/local/sbin PKG_CONFIG ?= pkg-config +QMAKE ?= qmake @@ -23,7 +21,7 @@ index ad9ead9..b19676d 100644 CFLAGS += $(EXTRA_CFLAGS) CFLAGS += -I$(abspath ../src) CFLAGS += -I$(abspath ../src/utils) -@@ -1787,10 +1790,10 @@ wpa_gui: +@@ -2039,10 +2042,10 @@ wpa_gui: @echo "wpa_gui has been removed - see wpa_gui-qt4 for replacement" wpa_gui-qt4/Makefile: @@ -36,6 +34,3 @@ index ad9ead9..b19676d 100644 wpa_gui-qt4: wpa_gui-qt4/Makefile wpa_gui-qt4/lang/wpa_gui_de.qm $(MAKE) -C wpa_gui-qt4 --- -2.6.2 - diff --git a/SOURCES/wpa_supplicant-p2p-segfault-on-iface-removal.patch b/SOURCES/wpa_supplicant-p2p-segfault-on-iface-removal.patch deleted file mode 100644 index c0c7555..0000000 --- a/SOURCES/wpa_supplicant-p2p-segfault-on-iface-removal.patch +++ /dev/null @@ -1,210 +0,0 @@ -From b2ad4e6b24ed0271ca76cb27856def0a701fb778 Mon Sep 17 00:00:00 2001 -Message-Id: -From: Davide Caratti -Date: Wed, 2 Oct 2019 14:08:41 +0200 -Subject: [PATCH] D-Bus: Fix P2P NULL dereference after interface removal - -When the P2P management interface is deleted, P2P is then disabled and -global->p2p_init_wpa_s is set to NULL. After that, other interfaces can -still trigger P2P functions (like wpas_p2p_find()) using D-Bus. This -makes wpa_supplicant terminate with SIGSEGV, because it dereferences a -NULL pointer. Fix this by adding proper checks, like it's done with -wpa_cli. - -CC: Beniamino Galvani -CC: Benjamin Berg -Reported-by: Vladimir Benes -Signed-off-by: Davide Caratti ---- - wpa_supplicant/dbus/dbus_new_handlers_p2p.c | 69 ++++++++++++++++++++- - 1 file changed, 67 insertions(+), 2 deletions(-) - -diff --git a/wpa_supplicant/dbus/dbus_new_handlers_p2p.c b/wpa_supplicant/dbus/dbus_new_handlers_p2p.c -index 8cdd88564..19715eb4c 100644 ---- a/wpa_supplicant/dbus/dbus_new_handlers_p2p.c -+++ b/wpa_supplicant/dbus/dbus_new_handlers_p2p.c -@@ -40,6 +40,14 @@ static int wpas_dbus_validate_dbus_ipaddr(struct wpa_dbus_dict_entry entry) - } - - -+static dbus_bool_t no_p2p_mgmt_interface(DBusError *error) -+{ -+ dbus_set_error_const(error, WPAS_DBUS_ERROR_IFACE_UNKNOWN, -+ "Could not find P2P mgmt interface"); -+ return FALSE; -+} -+ -+ - /** - * Parses out the mac address from the peer object path. - * @peer_path - object path of the form -@@ -78,6 +86,22 @@ wpas_dbus_error_persistent_group_unknown(DBusMessage *message) - } - - -+/** -+ * wpas_dbus_error_no_p2p_mgmt_iface - Return a new InterfaceUnknown error -+ * message -+ * @message: Pointer to incoming dbus message this error refers to -+ * Returns: a dbus error message -+ * -+ * Convenience function to create and return an unknown interface error. -+ */ -+static DBusMessage * wpas_dbus_error_no_p2p_mgmt_iface(DBusMessage *message) -+{ -+ wpa_printf(MSG_DEBUG, "dbus: Could not find P2P mgmt interface"); -+ return dbus_message_new_error(message, WPAS_DBUS_ERROR_IFACE_UNKNOWN, -+ "Could not find P2P mgmt interface"); -+} -+ -+ - DBusMessage * wpas_dbus_handler_p2p_find(DBusMessage *message, - struct wpa_supplicant *wpa_s) - { -@@ -145,6 +169,10 @@ DBusMessage * wpas_dbus_handler_p2p_find(DBusMessage *message, - } - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) { -+ reply = wpas_dbus_error_no_p2p_mgmt_iface(message); -+ goto error_nop2p; -+ } - - if (wpas_p2p_find(wpa_s, timeout, type, num_req_dev_types, - req_dev_types, NULL, 0, 0, NULL, freq)) -@@ -157,8 +185,9 @@ DBusMessage * wpas_dbus_handler_p2p_find(DBusMessage *message, - error_clear: - wpa_dbus_dict_entry_clear(&entry); - error: -- os_free(req_dev_types); - reply = wpas_dbus_error_invalid_args(message, entry.key); -+error_nop2p: -+ os_free(req_dev_types); - return reply; - } - -@@ -166,7 +195,9 @@ error: - DBusMessage * wpas_dbus_handler_p2p_stop_find(DBusMessage *message, - struct wpa_supplicant *wpa_s) - { -- wpas_p2p_stop_find(wpa_s->global->p2p_init_wpa_s); -+ wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (wpa_s) -+ wpas_p2p_stop_find(wpa_s); - return NULL; - } - -@@ -185,6 +216,8 @@ DBusMessage * wpas_dbus_handler_p2p_rejectpeer(DBusMessage *message, - return wpas_dbus_error_invalid_args(message, NULL); - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) -+ return wpas_dbus_error_no_p2p_mgmt_iface(message); - - if (wpas_p2p_reject(wpa_s, peer_addr) < 0) - return wpas_dbus_error_unknown_error(message, -@@ -204,6 +237,8 @@ DBusMessage * wpas_dbus_handler_p2p_listen(DBusMessage *message, - return wpas_dbus_error_no_memory(message); - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) -+ return wpas_dbus_error_no_p2p_mgmt_iface(message); - - if (wpas_p2p_listen(wpa_s, (unsigned int) timeout)) { - return dbus_message_new_error(message, -@@ -245,6 +280,8 @@ DBusMessage * wpas_dbus_handler_p2p_extendedlisten( - } - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) -+ return wpas_dbus_error_no_p2p_mgmt_iface(message); - - if (wpas_p2p_ext_listen(wpa_s, period, interval)) - return wpas_dbus_error_unknown_error( -@@ -350,6 +387,10 @@ DBusMessage * wpas_dbus_handler_p2p_group_add(DBusMessage *message, - } - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) { -+ reply = wpas_dbus_error_no_p2p_mgmt_iface(message); -+ goto out; -+ } - - if (pg_object_path != NULL) { - char *net_id_str; -@@ -433,6 +474,12 @@ static dbus_bool_t wpa_dbus_p2p_check_enabled(struct wpa_supplicant *wpa_s, - "P2P is not available for this interface"); - return FALSE; - } -+ if (!wpa_s->global->p2p_init_wpa_s) { -+ if (out_reply) -+ *out_reply = wpas_dbus_error_no_p2p_mgmt_iface( -+ message); -+ return no_p2p_mgmt_interface(error); -+ } - return TRUE; - } - -@@ -822,6 +869,8 @@ DBusMessage * wpas_dbus_handler_p2p_prov_disc_req(DBusMessage *message, - return wpas_dbus_error_invalid_args(message, NULL); - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) -+ return wpas_dbus_error_no_p2p_mgmt_iface(message); - - if (wpas_p2p_prov_disc(wpa_s, peer_addr, config_method, - WPAS_P2P_PD_FOR_GO_NEG, NULL) < 0) -@@ -1882,6 +1931,8 @@ dbus_bool_t wpas_dbus_getter_p2p_peer_groups( - - wpa_s = peer_args->wpa_s; - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) -+ return no_p2p_mgmt_interface(error); - - wpa_s_go = wpas_get_p2p_client_iface(wpa_s, info->p2p_device_addr); - if (wpa_s_go) { -@@ -1963,6 +2014,9 @@ dbus_bool_t wpas_dbus_getter_persistent_groups( - dbus_bool_t success = FALSE; - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) -+ return no_p2p_mgmt_interface(error); -+ - if (!wpa_s->parent->dbus_new_path) - return FALSE; - -@@ -2077,6 +2131,11 @@ DBusMessage * wpas_dbus_handler_add_persistent_group( - dbus_message_iter_init(message, &iter); - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) { -+ reply = wpas_dbus_error_no_p2p_mgmt_iface(message); -+ goto err; -+ } -+ - if (wpa_s->parent->dbus_new_path) - ssid = wpa_config_add_network(wpa_s->conf); - if (ssid == NULL) { -@@ -2159,6 +2218,10 @@ DBusMessage * wpas_dbus_handler_remove_persistent_group( - DBUS_TYPE_INVALID); - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) { -+ reply = wpas_dbus_error_no_p2p_mgmt_iface(message); -+ goto out; -+ } - - /* - * Extract the network ID and ensure the network is actually a child of -@@ -2235,6 +2298,8 @@ DBusMessage * wpas_dbus_handler_remove_all_persistent_groups( - struct wpa_config *config; - - wpa_s = wpa_s->global->p2p_init_wpa_s; -+ if (!wpa_s) -+ return wpas_dbus_error_no_p2p_mgmt_iface(message); - - config = wpa_s->conf; - ssid = config->ssid; --- -2.21.0 - diff --git a/SPECS/wpa_supplicant.spec b/SPECS/wpa_supplicant.spec index 18d7e03..ecab949 100644 --- a/SPECS/wpa_supplicant.spec +++ b/SPECS/wpa_supplicant.spec @@ -6,8 +6,8 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant Name: wpa_supplicant Epoch: 1 -Version: 2.9 -Release: 5%{?dist} +Version: 2.10 +Release: 1%{?dist} License: BSD Group: System Environment/Base Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz @@ -31,20 +31,6 @@ Patch3: wpa_supplicant-quiet-scan-results-message.patch Patch5: rh1542234-remove-wpa_gui.patch Patch6: wpa_supplicant-gui-qt4.patch -Patch7: wpa_supplicant-p2p-segfault-on-iface-removal.patch -# fix for CVE-2019-16275 -Patch8: 0001-AP-Silently-ignore-management-frame-from-unexpected-.patch -# fix for bz1693684 -Patch9: wpa_supplicant-P2P-Always-use-global-p2p_long_listen.patch -# fix for bz1888050 -Patch10: wpa_supplicant-D-Bus-Allow-changing-an-interface-bridge-via-D-Bus.patch -# fix for bz1888718 -Patch11: wpa_supplicant-dbus-Export-OWE-capability-and-OWE-BSS-key_mgmt.patch -# fix for CVE-2021-0326 -Patch12: wpa_supplicant-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch -# fix for CVE-2021-27803 -Patch13: wpa_supplicant-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch - URL: http://w1.fi/wpa_supplicant/ %if %{build_gui} @@ -87,7 +73,7 @@ Graphical User Interface for wpa_supplicant written using QT %endif %prep -%autosetup -p1 -n %{name}-%{version}%{rcver} +%autosetup -p1 -n %{name}-%{version}%{rcver}%{snapshot} %build pushd wpa_supplicant @@ -187,7 +173,17 @@ chmod -R 0644 %{name}/examples/*.py %endif %changelog -* Mon Mar 1 2021 Davide Caratti - 1:2.9-5 +* Thu Jan 20 2022 Davide Caratti - 1:2.10-1 +- Update to version 2.10 (rh #2042104) + +* Thu Dec 9 2021 Davide Caratti - 1:2.9-6.20211112gitc8b94bc7b347 +- restore WEP functionality (rh #2028839) + +* Fri Nov 12 2021 Davide Caratti - 1:2.9-5.20211112gitc8b94bc7b347 +- Update to latest upstream tree to include support for H2E + Resolves: rhbz#2007333 + +* Fri Mar 5 2021 Davide Caratti - 1:2.9-5 - P2P: Fix a corner case in peer addition based on PD Request (CVE-2021-27803) - Fix buffer overflow when processing P2P group information (CVE-2021-0326)