From owner-svn-src-all@freebsd.org Tue Jun 9 05:38:13 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7452134972A; Tue, 9 Jun 2020 05:38:13 +0000 (UTC) (envelope-from cy@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49gzRn2YRtz4dgx; Tue, 9 Jun 2020 05:38:13 +0000 (UTC) (envelope-from cy@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3983910CF3; Tue, 9 Jun 2020 05:38:13 +0000 (UTC) (envelope-from cy@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0595cDOR092124; Tue, 9 Jun 2020 05:38:13 GMT (envelope-from cy@FreeBSD.org) Received: (from cy@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0595cCtZ092122; Tue, 9 Jun 2020 05:38:12 GMT (envelope-from cy@FreeBSD.org) Message-Id: <202006090538.0595cCtZ092122@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cy set sender to cy@FreeBSD.org using -f From: Cy Schubert Date: Tue, 9 Jun 2020 05:38:12 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r361958 - head/contrib/wpa/src/wps X-SVN-Group: head X-SVN-Commit-Author: cy X-SVN-Commit-Paths: head/contrib/wpa/src/wps X-SVN-Commit-Revision: 361958 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jun 2020 05:38:13 -0000 Author: cy Date: Tue Jun 9 05:38:12 2020 New Revision: 361958 URL: https://svnweb.freebsd.org/changeset/base/361958 Log: MFV r361937: Upstream commit message: [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL path More than about 700 character URL ended up overflowing the wpabuf used for building the event notification and this resulted in the wpabuf buffer overflow checks terminating the hostapd process. Fix this by allocating the buffer to be large enough to contain the full URL path. However, since that around 700 character limit has been the practical limit for more than ten years, start explicitly enforcing that as the limit or the callback URLs since any longer ones had not worked before and there is no need to enable them now either. Obtained from: https://w1.fi/security/2020-1/\ 0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch MFC after: 3 days Security: VU#339275 and CVE-2020-12695 Modified: head/contrib/wpa/src/wps/wps_upnp.c head/contrib/wpa/src/wps/wps_upnp_event.c Directory Properties: head/contrib/wpa/ (props changed) Modified: head/contrib/wpa/src/wps/wps_upnp.c ============================================================================== --- head/contrib/wpa/src/wps/wps_upnp.c Tue Jun 9 05:35:38 2020 (r361957) +++ head/contrib/wpa/src/wps/wps_upnp.c Tue Jun 9 05:38:12 2020 (r361958) @@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s int rerr; size_t host_len, path_len; - /* url MUST begin with http: */ - if (url_len < 7 || os_strncasecmp(url, "http://", 7)) + /* URL MUST begin with HTTP scheme. In addition, limit the length of + * the URL to 700 characters which is around the limit that was + * implicitly enforced for more than 10 years due to a bug in + * generating the event messages. */ + if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) { + wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL"); goto fail; + } url += 7; url_len -= 7; Modified: head/contrib/wpa/src/wps/wps_upnp_event.c ============================================================================== --- head/contrib/wpa/src/wps/wps_upnp_event.c Tue Jun 9 05:35:38 2020 (r361957) +++ head/contrib/wpa/src/wps/wps_upnp_event.c Tue Jun 9 05:38:12 2020 (r361958) @@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_ struct wpabuf *buf; char *b; - buf = wpabuf_alloc(1000 + wpabuf_len(e->data)); + buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) + + wpabuf_len(e->data)); if (buf == NULL) return NULL; wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);