Cumulative security patch from commit 58606fd98722e92aaa4c2c7b8cb99cc92bd4308c

58606fd EAP-pwd server: Make sure in_frag_pos is cleared to zero on allocation 6aa5d95 EAP-pwd peer: Make sure in_frag_pos is cleared to zero on allocation 28a069a EAP-pwd peer: Fix asymmetric fragmentation behavior 3035cc2 EAP-pwd server: Fix Total-Length parsing for fragment reassembly 477c743 EAP-pwd peer: Fix Total-Length parsing for fragment reassembly e28a58b EAP-pwd server: Fix payload length validation for Commit and Confirm dd2f043 EAP-pwd peer: Fix payload length validation for Commit and Confirm ef566a4 AP WMM: Fix integer underflow in WMM Action frame parser 8640cf7 WPS: Add more debug prints to httpread 1bd0d57 WPS: Replace the httpread_debug design with standard debug prints 7da4f4b WPS: Check maximum HTTP body length earlier in the process af185d0 WPS: Extra validation step for HTTP reader 5acd23f WPS: Fix HTTP chunked transfer encoding parser a5da657 dbus: Stop ongoing scheduled scan when scan is requested 0c28071 Fix sending ANQP request to an unknown BSS while associated 74197e0 wpa_cli: Fix memory leak when tracking networks 4504621 TDLS: Add TDLS_LINK_STATUS command to the control interface 01e87ef IBSS: Check ibss_rsn init before starting new IBSS authentication 74d912f libtommath: Fix check mp_init_multi() result fd66aa6 Check Public Action length explicitly before reading Action Code ff4a6d4 EAP-SIM/AKA: Explicitly check for header to include Reserved field f5ed400 EAP-SAKE: Make attribute parser more readable 0dfb7be EAP-SAKE: Pass EAP identifier instead of full request 354e3f7 TLS: Fix debug dump of X.509 certificate 87fcb5a EAP-PAX: Fix PAX_STD-1 and PAX_STD-3 payload length validation c3c5615 EAP-GPSK: Pass EAP identifier instead of full request d36c803 EAP-TLS/PEAP/TTLS/FAST: Move more towards using struct wpabuf 8d9f3b8 EAP-FAST: Do not use type cast to remove const specification 07f9034 EAP-FAST: Pass EAP identifier instead of full request f153e41 EAP-EKE: Do not pass full request to eap_eke_build_fail() 53f376c Fix a typo in function documentation 5aeebc4 D-Bus Fix network_is_persistent_group() for P2P operations 5441da2 Fix wpas_notify_network_removed() e8181e2 dbus: Add a debug print on fill_dict_with_properties() getter failures 8a78e22 D-Bus: Fix operations when P2P management interface is used dea0d8e RADIUS: Fix a copy-paste error in variable name Change-Id: Ib70bf513c1f6c17974ef135806e44e120a5d5709 Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
author: Dmitry Shmidt <dimitrysh@google.com> 2015-05-04 10:34:12 -0700
committer: Dmitry Shmidt <dimitrysh@google.com> 2015-05-07 11:28:37 -0700
commit: cc00d5dc8483e32158b2ba61ea44b0c38d790ed7 (patch)
tree: 533da635c6af5654dd5673b5b0449d1d9567091f /src/eap_common
parent: d1c753ef9cb780f24f7b8000c3540ab1452bc7a9 (diff)
download: android_external_wpa_supplicant_8-cc00d5dc8483e32158b2ba61ea44b0c38d790ed7.tar.gz
android_external_wpa_supplicant_8-cc00d5dc8483e32158b2ba61ea44b0c38d790ed7.tar.bz2
android_external_wpa_supplicant_8-cc00d5dc8483e32158b2ba61ea44b0c38d790ed7.zip
2 files changed, 44 insertions, 44 deletions
diff --git a/src/eap_common/eap_common.c b/src/eap_common/eap_common.c
index 1de13281..51a15d75 100644
--- a/src/eap_common/eap_common.c
+++ b/src/eap_common/eap_common.c
@@ -192,7 +192,7 @@ u8 eap_get_id(const struct wpabuf *msg)
 
 
 /**
- * eap_get_id - Get EAP Type from wpabuf
+ * eap_get_type - Get EAP Type from wpabuf
  * @msg: Buffer starting with an EAP header
  * Returns: The EAP Type after the EAP header
  */
diff --git a/src/eap_common/eap_sake_common.c b/src/eap_common/eap_sake_common.c
index a76253d0..c22e43ed 100644
--- a/src/eap_common/eap_sake_common.c
+++ b/src/eap_common/eap_sake_common.c
@@ -16,99 +16,99 @@
 
 
 static int eap_sake_parse_add_attr(struct eap_sake_parse_attr *attr,
-				   const u8 *pos)
+				   u8 attr_id, u8 len, const u8 *data)
 {
 	size_t i;
 
-	switch (pos[0]) {
+	switch (attr_id) {
 	case EAP_SAKE_AT_RAND_S:
 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_S");
-		if (pos[1] != 2 + EAP_SAKE_RAND_LEN) {
+		if (len != EAP_SAKE_RAND_LEN) {
 			wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_S with "
-				   "invalid length %d", pos[1]);
+				   "invalid payload length %d", len);
 			return -1;
 		}
-		attr->rand_s = pos + 2;
+		attr->rand_s = data;
 		break;
 	case EAP_SAKE_AT_RAND_P:
 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_P");
-		if (pos[1] != 2 + EAP_SAKE_RAND_LEN) {
+		if (len != EAP_SAKE_RAND_LEN) {
 			wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_P with "
-				   "invalid length %d", pos[1]);
+				   "invalid payload length %d", len);
 			return -1;
 		}
-		attr->rand_p = pos + 2;
+		attr->rand_p = data;
 		break;
 	case EAP_SAKE_AT_MIC_S:
 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_S");
-		if (pos[1] != 2 + EAP_SAKE_MIC_LEN) {
+		if (len != EAP_SAKE_MIC_LEN) {
 			wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_S with "
-				   "invalid length %d", pos[1]);
+				   "invalid payload length %d", len);
 			return -1;
 		}
-		attr->mic_s = pos + 2;
+		attr->mic_s = data;
 		break;
 	case EAP_SAKE_AT_MIC_P:
 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_P");
-		if (pos[1] != 2 + EAP_SAKE_MIC_LEN) {
+		if (len != EAP_SAKE_MIC_LEN) {
 			wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_P with "
-				   "invalid length %d", pos[1]);
+				   "invalid payload length %d", len);
 			return -1;
 		}
-		attr->mic_p = pos + 2;
+		attr->mic_p = data;
 		break;
 	case EAP_SAKE_AT_SERVERID:
 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SERVERID");
-		attr->serverid = pos + 2;
-		attr->serverid_len = pos[1] - 2;
+		attr->serverid = data;
+		attr->serverid_len = len;
 		break;
 	case EAP_SAKE_AT_PEERID:
 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PEERID");
-		attr->peerid = pos + 2;
-		attr->peerid_len = pos[1] - 2;
+		attr->peerid = data;
+		attr->peerid_len = len;
 		break;
 	case EAP_SAKE_AT_SPI_S:
 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_S");
-		attr->spi_s = pos + 2;
-		attr->spi_s_len = pos[1] - 2;
+		attr->spi_s = data;
+		attr->spi_s_len = len;
 		break;
 	case EAP_SAKE_AT_SPI_P:
 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_P");
-		attr->spi_p = pos + 2;
-		attr->spi_p_len = pos[1] - 2;
+		attr->spi_p = data;
+		attr->spi_p_len = len;
 		break;
 	case EAP_SAKE_AT_ANY_ID_REQ:
 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ANY_ID_REQ");
-		if (pos[1] != 4) {
+		if (len != 2) {
 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid AT_ANY_ID_REQ"
-				   " length %d", pos[1]);
+				   " payload length %d", len);
 			return -1;
 		}
-		attr->any_id_req = pos + 2;
+		attr->any_id_req = data;
 		break;
 	case EAP_SAKE_AT_PERM_ID_REQ:
 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PERM_ID_REQ");
-		if (pos[1] != 4) {
+		if (len != 2) {
 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
-				   "AT_PERM_ID_REQ length %d", pos[1]);
+				   "AT_PERM_ID_REQ payload length %d", len);
 			return -1;
 		}
-		attr->perm_id_req = pos + 2;
+		attr->perm_id_req = data;
 		break;
 	case EAP_SAKE_AT_ENCR_DATA:
 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ENCR_DATA");
-		attr->encr_data = pos + 2;
-		attr->encr_data_len = pos[1] - 2;
+		attr->encr_data = data;
+		attr->encr_data_len = len;
 		break;
 	case EAP_SAKE_AT_IV:
 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV");
-		attr->iv = pos + 2;
-		attr->iv_len = pos[1] - 2;
+		attr->iv = data;
+		attr->iv_len = len;
 		break;
 	case EAP_SAKE_AT_PADDING:
 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PADDING");
-		for (i = 2; i < pos[1]; i++) {
-			if (pos[i]) {
+		for (i = 0; i < len; i++) {
+			if (data[i]) {
 				wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_PADDING "
 					   "with non-zero pad byte");
 				return -1;
@@ -117,26 +117,26 @@ static int eap_sake_parse_add_attr(struct eap_sake_parse_attr *attr,
 		break;
 	case EAP_SAKE_AT_NEXT_TMPID:
 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_NEXT_TMPID");
-		attr->next_tmpid = pos + 2;
-		attr->next_tmpid_len = pos[1] - 2;
+		attr->next_tmpid = data;
+		attr->next_tmpid_len = len;
 		break;
 	case EAP_SAKE_AT_MSK_LIFE:
 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV");
-		if (pos[1] != 6) {
+		if (len != 4) {
 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
-				   "AT_MSK_LIFE length %d", pos[1]);
+				   "AT_MSK_LIFE payload length %d", len);
 			return -1;
 		}
-		attr->msk_life = pos + 2;
+		attr->msk_life = data;
 		break;
 	default:
-		if (pos[0] < 128) {
+		if (attr_id < 128) {
 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Unknown non-skippable"
-				   " attribute %d", pos[0]);
+				   " attribute %d", attr_id);
 			return -1;
 		}
 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring unknown skippable "
-			   "attribute %d", pos[0]);
+			   "attribute %d", attr_id);
 		break;
 	}
 
@@ -180,7 +180,7 @@ int eap_sake_parse_attributes(const u8 *buf, size_t len,
 			return -1;
 		}
 
-		if (eap_sake_parse_add_attr(attr, pos))
+		if (eap_sake_parse_add_attr(attr, pos[0], pos[1] - 2, pos + 2))
 			return -1;
 
 		pos += pos[1];
author	Dmitry Shmidt <dimitrysh@google.com>	2015-05-04 10:34:12 -0700
committer	Dmitry Shmidt <dimitrysh@google.com>	2015-05-07 11:28:37 -0700
commit	cc00d5dc8483e32158b2ba61ea44b0c38d790ed7 (patch)
tree	533da635c6af5654dd5673b5b0449d1d9567091f /src/eap_common
parent	d1c753ef9cb780f24f7b8000c3540ab1452bc7a9 (diff)
download	android_external_wpa_supplicant_8-cc00d5dc8483e32158b2ba61ea44b0c38d790ed7.tar.gz android_external_wpa_supplicant_8-cc00d5dc8483e32158b2ba61ea44b0c38d790ed7.tar.bz2 android_external_wpa_supplicant_8-cc00d5dc8483e32158b2ba61ea44b0c38d790ed7.zip