mirror of
https://git.FreeBSD.org/src.git
synced 2024-10-19 02:29:40 +00:00
MFC eeb26cf52c
:
wpa: import fix for P2P provision discovery processing vulnerability
Latest version available from: https://w1.fi/security/2021-1/
Vulnerability
A vulnerability was discovered in how wpa_supplicant processes P2P
(Wi-Fi Direct) provision discovery requests. Under a corner case
condition, an invalid Provision Discovery Request frame could end up
reaching a state where the oldest peer entry needs to be removed. With
a suitably constructed invalid frame, this could result in use
(read+write) of freed memory. This can result in an attacker within
radio range of the device running P2P discovery being able to cause
unexpected behavior, including termination of the wpa_supplicant process
and potentially code execution.
Vulnerable versions/configurations
wpa_supplicant v1.0-v2.9 with CONFIG_P2P build option enabled
An attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a set of suitably
constructed management frames that trigger the corner case to be reached
in the management of the P2P peer table.
Note: FreeBSD base does not enable P2P.
(cherry picked from commit eeb26cf52c
)
This commit is contained in:
parent
ff2e2bca31
commit
7b3ff601f9
@ -595,7 +595,6 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (!dev) {
|
||||
dev = p2p_get_device(p2p, sa);
|
||||
if (!dev) {
|
||||
p2p_dbg(p2p,
|
||||
@ -603,7 +602,6 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
|
||||
MACSTR, MAC2STR(sa));
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
} else if (msg.wfd_subelems) {
|
||||
wpabuf_free(dev->info.wfd_subelems);
|
||||
dev->info.wfd_subelems = wpabuf_dup(msg.wfd_subelems);
|
||||
|
Loading…
Reference in New Issue
Block a user