Andrew Geissler | 95ac1b8 | 2021-03-31 14:34:31 -0500 | [diff] [blame] | 1 | From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 |
| 2 | From: Jouni Malinen <jouni@codeaurora.org> |
| 3 | Date: Tue, 8 Dec 2020 23:52:50 +0200 |
| 4 | Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request |
| 5 | |
| 6 | p2p_add_device() may remove the oldest entry if there is no room in the |
| 7 | peer table for a new peer. This would result in any pointer to that |
| 8 | removed entry becoming stale. A corner case with an invalid PD Request |
| 9 | frame could result in such a case ending up using (read+write) freed |
| 10 | memory. This could only by triggered when the peer table has reached its |
| 11 | maximum size and the PD Request frame is received from the P2P Device |
| 12 | Address of the oldest remaining entry and the frame has incorrect P2P |
| 13 | Device Address in the payload. |
| 14 | |
| 15 | Fix this by fetching the dev pointer again after having called |
| 16 | p2p_add_device() so that the stale pointer cannot be used. |
| 17 | |
| 18 | Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") |
| 19 | Signed-off-by: Jouni Malinen <jouni@codeaurora.org> |
| 20 | |
| 21 | Upstream-Status: Backport |
| 22 | CVE: CVE-2021-27803 |
| 23 | |
| 24 | Reference to upstream patch: |
| 25 | [https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32] |
| 26 | |
| 27 | Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> |
| 28 | --- |
| 29 | src/p2p/p2p_pd.c | 12 +++++------- |
| 30 | 1 file changed, 5 insertions(+), 7 deletions(-) |
| 31 | |
| 32 | diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c |
| 33 | index 3994ec0..05fd593 100644 |
| 34 | --- a/src/p2p/p2p_pd.c |
| 35 | +++ b/src/p2p/p2p_pd.c |
| 36 | @@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, |
| 37 | goto out; |
| 38 | } |
| 39 | |
| 40 | + dev = p2p_get_device(p2p, sa); |
| 41 | if (!dev) { |
| 42 | - dev = p2p_get_device(p2p, sa); |
| 43 | - if (!dev) { |
| 44 | - p2p_dbg(p2p, |
| 45 | - "Provision Discovery device not found " |
| 46 | - MACSTR, MAC2STR(sa)); |
| 47 | - goto out; |
| 48 | - } |
| 49 | + p2p_dbg(p2p, |
| 50 | + "Provision Discovery device not found " |
| 51 | + MACSTR, MAC2STR(sa)); |
| 52 | + goto out; |
| 53 | } |
| 54 | } else if (msg.wfd_subelems) { |
| 55 | wpabuf_free(dev->info.wfd_subelems); |
| 56 | -- |
| 57 | 2.17.1 |
| 58 | |