android_external_wpa_supplicant_8, branch stable/cm-12.0-YNG1TA

P2P: Validate SSID element length before copying it

2015-05-07T19:22:05+00:00

This fixes a possible memcpy overflow for P2P dev->oper_ssid in
p2p_add_device(). The length provided by the peer device (0..255 bytes)
was used without proper bounds checking and that could have resulted in
arbitrary data of up to 223 bytes being written beyond the end of the
dev->oper_ssid[] array (of which about 150 bytes would be beyond the
heap allocation) when processing a corrupted management frame for P2P
peer discovery purposes.

This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to process crash, exposure of memory contents during GO Negotiation,
and potentially arbitrary code execution.

Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.

Signed-off-by: Jouni Malinen 

(cherry picked from commit fdb708a37d8f7f1483e3cd4e8ded974f53fedace)

Change-Id: Ibc53ff533f78cfcd7c51fbb5d5494b828f184cc8
(cherry picked from commit 6f5b05b471d8cba1b522cb7af34e3a356925e787)

Merge branch 'LA.BF.1.1_rb1.16' of git://codeaurora.org/platform/external/wpa_supplicant_8 into cm-12.0

2014-12-13T21:35:36+00:00

Merge "eap_proxy: Remove extra bytes in EAP-Response/Identity" into LA.BF.1.1_rb1.16

2014-12-11T00:10:10+00:00

Allow a BSS entry with all-zeros BSSID to expire

2014-12-04T14:04:32+00:00

wpa_bss_in_use() used to determine that a BSS with BSSID of
00:00:00:00:00:00 is in use in almost every case since either
wpa_s->bssid or wpa_s->pending_bssid was likely to be cleared. This
could result in a corner case of a BSS entry remaining in the BSS table
indefinitely if one was added there with a (likely bogus) address of
00:00:00:00:00:00. Fix this by ignore wpa_s->bssid and
wpa_s->pending_bssid if the BSSID in the BSS table entry is
00:00:00:00:00:00.

In theory, that address is a valid BSSID, but it is unlikely to be used
in any production AP, so the potential expiration of a BSS entry with
that address during a connection attempt would not be a concern
(especially when a new scan would be enough to recover from that).

CRs-Fixed: 766537
Git-commit: 44177b69e8854177044aad4c57cf9cce8269b306
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen 
Change-Id: Ie70a0aa2ba3a8b942f7f9798b1d15d87391547a8

eap_proxy: Remove extra bytes in EAP-Response/Identity

2014-12-04T06:37:52+00:00

Adding size_of wpa_buf to the eap response from the modem is
reflecting in extra bytes to the identity and some radius servers
are unable to map the identity, further causing a failure.
This fix will remove the extra length being added to the response
frame.

Change-Id: Ie3c8db99b4de5d94491c329ff63adfb48527c1aa
CRs-Fixed: 765232

Merge "P2P: Reinvite with social operation channel if no common channels"

2014-12-03T09:34:01+00:00

Merge tag 'android-5.0.1_r1' into HEAD

2014-12-03T01:31:24+00:00

Android 5.0.1 release 1

Merge "Do not re-open Android control sockets"

2014-12-01T14:53:45+00:00

P2P: Reinvite with social operation channel if no common channels

2014-12-01T08:11:56+00:00

If invitation to reinvoke a persistent group from the GO fails with the
peer indicating that there are no common channels, there is no defined
means for the peer to indicate which channel could have worked. Since
this type of issue with available channels changing over time can
happen, try to work around this by retrying invitation using one of the
social channels as the operating channel unless a specific operating
channel was forced for the group.

CRs-fixed: 764464
Git-commit: ac330cfd87397a1a01e697984f3944f427e88dad
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen 
Change-Id: I40106f91e0e7bc3b2dfddcac75c7034a34773e95

Merge "P2P: Do not change P2P state on GO Neg failure if it is P2P_SEARCH"

2014-11-28T02:28:10+00:00