1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-11-27 08:00:11 +00:00

MFS security patches which seem to have accidentally not reached HEAD:

Fix insufficient message length validation for EAP-TLS messages.

Fix Linux compatibility layer input validation error.

Security:	FreeBSD-SA-12:07.hostapd
Security:	FreeBSD-SA-12:08.linux
Security:	CVE-2012-4445, CVE-2012-4576
With hat:	so@
This commit is contained in:
Colin Percival 2012-11-23 01:48:31 +00:00
parent f51d43fe01
commit 43f13bea35
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=243419
2 changed files with 11 additions and 2 deletions

View File

@ -225,6 +225,14 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
return -1;
}
if (len > message_length) {
wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
"first fragment of frame (TLS Message "
"Length %d bytes)",
(int) len, (int) message_length);
return -1;
}
data->tls_in = wpabuf_alloc(message_length);
if (data->tls_in == NULL) {
wpa_printf(MSG_DEBUG, "SSL: No memory for message");

View File

@ -2260,8 +2260,9 @@ linux_ifconf(struct thread *td, struct ifconf *uifc)
ifc.ifc_len = valid_len;
sbuf_finish(sb);
memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len);
error = copyout(&ifc, uifc, sizeof(ifc));
error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len);
if (error == 0)
error = copyout(&ifc, uifc, sizeof(ifc));
sbuf_delete(sb);
CURVNET_RESTORE();