aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCy Schubert <cy@FreeBSD.org>2020-06-08 20:37:52 +0000
committerCy Schubert <cy@FreeBSD.org>2020-06-08 20:37:52 +0000
commitfcd7585218588159ed2e743c05e2ae37f968e88d (patch)
treef07aefe47c6279ae3f4695f82a92ef2ee39e5926
parent7ff78eda39f2359bf061bb8a236a21c744bf6032 (diff)
downloadsrc-fcd7585218588159ed2e743c05e2ae37f968e88d.tar.gz
src-fcd7585218588159ed2e743c05e2ae37f968e88d.zip
Upstream commit message:
[PATCH 2/3] WPS UPnP: Fix event message generation using a long URL path More than about 700 character URL ended up overflowing the wpabuf used for building the event notification and this resulted in the wpabuf buffer overflow checks terminating the hostapd process. Fix this by allocating the buffer to be large enough to contain the full URL path. However, since that around 700 character limit has been the practical limit for more than ten years, start explicitly enforcing that as the limit or the callback URLs since any longer ones had not worked before and there is no need to enable them now either. Obtained from: https://w1.fi/security/2020-1/\ 0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch Security: VU#339275 and CVE-2020-12695
Notes
Notes: svn path=/vendor/wpa/dist/; revision=361937
-rw-r--r--src/wps/wps_upnp.c9
-rw-r--r--src/wps/wps_upnp_event.c3
2 files changed, 9 insertions, 3 deletions
diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
index 9e40aeb0dc97..93d6fb59a6a9 100644
--- a/src/wps/wps_upnp.c
+++ b/src/wps/wps_upnp.c
@@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
int rerr;
size_t host_len, path_len;
- /* url MUST begin with http: */
- if (url_len < 7 || os_strncasecmp(url, "http://", 7))
+ /* URL MUST begin with HTTP scheme. In addition, limit the length of
+ * the URL to 700 characters which is around the limit that was
+ * implicitly enforced for more than 10 years due to a bug in
+ * generating the event messages. */
+ if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) {
+ wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
goto fail;
+ }
url += 7;
url_len -= 7;
diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
index 94aae7542b2e..fd225b06c0c6 100644
--- a/src/wps/wps_upnp_event.c
+++ b/src/wps/wps_upnp_event.c
@@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e)
struct wpabuf *buf;
char *b;
- buf = wpabuf_alloc(1000 + wpabuf_len(e->data));
+ buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
+ wpabuf_len(e->data));
if (buf == NULL)
return NULL;
wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);