CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	Cy Schubert <cy@FreeBSD.org>
	Wed, 17 Mar 2021 00:06:17 +0000 (17:06 -0700)
committer	Cy Schubert <cy@FreeBSD.org>
	Wed, 24 Mar 2021 08:55:49 +0000 (01:55 -0700)
commit	7b3ff601f90415ba3da62b910aa8ea14a54bfae3
tree	d7632b8a2c9f30b2ebc5397b283ccb2aafa3a399	tree \| snapshot
parent	ff2e2bca31a53357e70781ab46dc63356c17ef95	commit \| diff

MFC eeb26cf52c4c51e1571253d57684c442aa79a98d:

wpa: import fix for P2P provision discovery processing vulnerability

Latest version available from: https://w1.fi/security/2021-1/

Vulnerability

A vulnerability was discovered in how wpa_supplicant processes P2P
(Wi-Fi Direct) provision discovery requests. Under a corner case
condition, an invalid Provision Discovery Request frame could end up
reaching a state where the oldest peer entry needs to be removed. With
a suitably constructed invalid frame, this could result in use
(read+write) of freed memory. This can result in an attacker within
radio range of the device running P2P discovery being able to cause
unexpected behavior, including termination of the wpa_supplicant process
and potentially code execution.

Vulnerable versions/configurations

wpa_supplicant v1.0-v2.9 with CONFIG_P2P build option enabled

An attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a set of suitably
constructed management frames that trigger the corner case to be reached
in the management of the P2P peer table.

Note: FreeBSD base does not enable P2P.
(cherry picked from commit eeb26cf52c4c51e1571253d57684c442aa79a98d)