Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
235,306 Commits 606 Branches 0 Tags 3.1 GiB
C 85.3%
Roff 7.2%
Assembly 3.1%
Shell 1.7%
Makefile 1.2%
Other 0.9%
Go to file
christos e4bfca3a3e strtoul() return value may end up overflowing the int h->chunk_size and 
resulting in a negative value to be stored as the chunk_size. This could
result in the following memcpy operation using a very large length
argument which would result in a buffer overflow and segmentation fault.

This could have been used to cause a denial service by any device that
has been authorized for network access (either wireless or wired). This
would affect both the WPS UPnP functionality in a WPS AP (hostapd with
upnp_iface parameter set in the configuration) and WPS ER
(wpa_supplicant with WPS_ER_START control interface command used).

Validate the parsed chunk length value to avoid this. In addition to
rejecting negative values, we can also reject chunk size that would be
larger than the maximum configured body length.

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

XXX: pullup-7
 		2015-05-09 19:33:47 +00:00
bin CID 1225078: check getrlimit return 2015-05-09 13:28:55 +00:00
common - new test for strtoi 2015-05-01 14:17:56 +00:00
compat Add RISC-V support 2014-09-19 17:38:46 +00:00
crypto Fix typos 2015-04-28 09:48:30 +00:00
dist/pf Merge riastradh-drm2 to HEAD. 2014-03-18 18:20:35 +00:00
distrib This product includes software developed by Yasushi Yamasaki. 2015-05-09 17:49:33 +00:00
doc Remove mips-kern-ksyms-size, now that it is already gone 2015-05-08 09:44:45 +00:00
etc Build ERLITE and INSTALL_ERLITE if mips64eb 2015-05-01 23:55:14 +00:00
external strtoul() return value may end up overflowing the int h->chunk_size and 2015-05-09 19:33:47 +00:00
extsrc
games PR/49850: Nikolai Lifanov: Document acronyms-o 2015-04-22 15:04:57 +00:00
gnu CID 1225079: check getrlimit return 2015-05-09 13:32:30 +00:00
include add a macro to check overlapping pointers 2015-05-09 15:41:47 +00:00
lib Update HISTORY from OpenBSD: strerror from 4.3 Reno, perror from v4. 2015-05-09 19:01:53 +00:00
libexec Bump date for previous. 2015-05-05 08:08:33 +00:00
regress moved to tests/net/in_cksum. 2015-01-05 22:39:29 +00:00
rescue Remove rtsol(8) and rtsold(8) as their functionality is in dhcpcd(8). 2014-09-11 13:10:03 +00:00
sbin Use _PATH_WATCHDOG from <paths.h> instead of locally-defined value. 2015-05-06 23:08:30 +00:00
share ICYMI 2015-05-09 18:18:32 +00:00
sys Jetson TK1: USB1 VBUS power is controlled by GPIO N4 2015-05-09 18:57:30 +00:00
tests Use correcet variable name when printing the error code. 2015-05-07 06:23:23 +00:00
tools misc/48722: Use explicit HOST_SH in case the user insists on removing 2015-03-05 10:22:25 +00:00
usr.bin Also check the other emitted getrlimit call for failure. 2015-05-09 18:48:14 +00:00
usr.sbin perror -> warn 2015-05-09 18:32:04 +00:00
x11 Use ${TOOL_GZIP_N} instead of ${TOOL_GZIP} -n, and similarly 2014-08-05 15:40:58 +00:00
BUILDING regen 2015-04-08 05:48:24 +00:00
Makefile PR 49870: pass the xsrc path to postinstall 2015-05-03 15:13:13 +00:00
Makefile.inc
UPDATING mention yacc requirement for acpica 2015-04-14 14:18:59 +00:00
build.sh Fix typo in usage. From Christopher M. Fuhrman in PR 49882. 2015-05-06 17:31:49 +00:00