[PATCH] [PATCH]hostapd:Fix potential buffer overflow and null pointer dereference

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



1.The event_dequeue() returns NULL as an error, so add
check against NULL pointer before dereference.

2.Use max attribute length macro as size for buffer
to store the radius attributes to avoid the potential
buffer overflow & underflow.

3.Clean the uninitialized memory before use.

4.Typecast the operand into compatible data type before
the bitwise operation.

Signed-off-by: Sarada Prasanna Garnayak <sarada.prasanna.garnayak@xxxxxxxxx>
---
 src/ap/accounting.c      | 2 +-
 src/ap/ieee802_1x.c      | 2 +-
 src/ap/wpa_auth_ie.c     | 1 +
 src/radius/radius.c      | 2 +-
 src/wps/wps_registrar.c  | 3 ++-
 src/wps/wps_upnp_event.c | 2 ++
 6 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/ap/accounting.c b/src/ap/accounting.c
index 0aacc3c95..69169375d 100644
--- a/src/ap/accounting.c
+++ b/src/ap/accounting.c
@@ -36,7 +36,7 @@ static struct radius_msg * accounting_msg(struct hostapd_data *hapd,
 					  int status_type)
 {
 	struct radius_msg *msg;
-	char buf[128];
+	char buf[RADIUS_MAX_ATTR_LEN];
 	u8 *val;
 	size_t len;
 	int i;
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 985f8b787..52c211cc8 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -503,7 +503,7 @@ int add_common_radius_attr(struct hostapd_data *hapd,
 			   struct sta_info *sta,
 			   struct radius_msg *msg)
 {
-	char buf[128];
+	char buf[RADIUS_MAX_ATTR_LEN];
 	struct hostapd_radius_attr *attr;
 	int len;
 
diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 421dd5a6f..a753376c9 100644
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -428,6 +428,7 @@ int wpa_auth_gen_wpa_ie(struct wpa_authenticator *wpa_auth)
 	u8 *pos, buf[128];
 	int res;
 
+	memset(buf, 0, sizeof(buf));
 #ifdef CONFIG_TESTING_OPTIONS
 	if (wpa_auth->conf.own_ie_override_len) {
 		wpa_hexdump(MSG_DEBUG, "WPA: Forced own IE(s) for testing",
diff --git a/src/radius/radius.c b/src/radius/radius.c
index 07240ea22..63be0d732 100644
--- a/src/radius/radius.c
+++ b/src/radius/radius.c
@@ -1343,7 +1343,7 @@ radius_msg_add_attr_user_password(struct radius_msg *msg,
 				  const u8 *data, size_t data_len,
 				  const u8 *secret, size_t secret_len)
 {
-	u8 buf[128];
+	u8 buf[RADIUS_MAX_ATTR_LEN];
 	int res;
 
 	res = radius_user_password_hide(msg, data, data_len,
diff --git a/src/wps/wps_registrar.c b/src/wps/wps_registrar.c
index 379925e3f..ed8c1d1e2 100644
--- a/src/wps/wps_registrar.c
+++ b/src/wps/wps_registrar.c
@@ -3424,7 +3424,8 @@ static void wps_registrar_sel_reg_add(struct wps_registrar *reg,
 		reg->sel_reg_dev_password_id_override = s->dev_password_id;
 	if (reg->sel_reg_config_methods_override == -1)
 		reg->sel_reg_config_methods_override = 0;
-	reg->sel_reg_config_methods_override |= s->config_methods;
+	reg->sel_reg_config_methods_override |=
+			(int)(unsigned)s->config_methods;
 	for (i = 0; i < WPS_MAX_AUTHORIZED_MACS; i++)
 		if (is_zero_ether_addr(reg->authorized_macs_union[i]))
 			break;
diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
index 94aae7542..f1f981138 100644
--- a/src/wps/wps_upnp_event.c
+++ b/src/wps/wps_upnp_event.c
@@ -282,6 +282,8 @@ static int event_send_start(struct subscription *s)
 		return -1;
 
 	s->current_event = e = event_dequeue(s);
+	if (!e)
+		return -1;
 
 	/* Use address according to number of retries */
 	itry = 0;
-- 
2.11.0


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux