~morphis/snappy-hwe-snaps/+git/wpa-supplicant:f/dont-drop-connection

Last commit made on 2017-03-08
Get this branch:
git clone -b f/dont-drop-connection https://git.launchpad.net/~morphis/snappy-hwe-snaps/+git/wpa-supplicant
Only Simon Fels can upload to this branch. If you are Simon Fels please log in for upload directions.

Branch merges

Branch information

Name:
f/dont-drop-connection
Repository:
lp:~morphis/snappy-hwe-snaps/+git/wpa-supplicant

Recent commits

98c7838... by Simon Fels on 2017-03-08

WIP: UBUNTU: Don't deinitialize network interface on termination

878eb10... by Simon Fels on 2017-03-08

SNAP: Add default configuration we will use for the snap build

1713bb3... by Maital Hahn <email address hidden> on 2017-03-08

UBUNTU: wpa_supplicant: Fix a typo in wpa_scan_result_compar()

A typo in wpa_scan_result_compar() caused wrong scan results sorting
(and wrong roaming decision). This fixes a copy-paste regression
introduced by commit a1b790eb9d7514d1a6e0582a07f695a1564caa59 ('Select
AP based on estimated maximum throughput').

Signed-off-by: Maital Hahn <email address hidden>

c344784... by Jouni Malinen on 2017-03-08

UBUNTU: NFC: Fix payload length validation in NDEF record parser

It was possible for the 32-bit record->total_length value to end up
wrapping around due to integer overflow if the longer form of payload
length field is used and record->payload_length gets a value close to
2^32. This could result in ndef_parse_record() accepting a too large
payload length value and the record type filter reading up to about 20
bytes beyond the end of the buffer and potentially killing the process.
This could also result in an attempt to allocate close to 2^32 bytes of
heap memory and if that were to succeed, a buffer read overflow of the
same length which would most likely result in the process termination.
In case of record->total_length ending up getting the value 0, there
would be no buffer read overflow, but record parsing would result in an
infinite loop in ndef_parse_records().

Any of these error cases could potentially be used for denial of service
attacks over NFC by using a malformed NDEF record on an NFC Tag or
sending them during NFC connection handover if the application providing
the NDEF message to hostapd/wpa_supplicant did no validation of the
received records. While such validation is likely done in the NFC stack
that needs to parse the NFC messages before further processing,
hostapd/wpa_supplicant better be prepared for any data being included
here.

Fix this by validating record->payload_length value in a way that
detects integer overflow. (CID 122668)

Signed-off-by: Jouni Malinen <email address hidden>

db8a152... by Jouni Malinen on 2017-03-08

UBUNTU: EAP-pwd peer: Fix error path for unexpected Confirm message

If the Confirm message is received from the server before the Identity
exchange has been completed, the group has not yet been determined and
data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
did not take this corner case into account and could end up
dereferencing a NULL pointer and terminating the process if invalid
message sequence is received.

Signed-off-by: Jouni Malinen <email address hidden>

a9f7aa2... by Jouni Malinen on 2017-03-08

UBUNTU: EAP-pwd server: Fix last fragment length validation

All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination.

Signed-off-by: Jouni Malinen <email address hidden>

4efe0b3... by Jouni Malinen on 2017-03-08

UBUNTU: EAP-pwd peer: Fix last fragment length validation

All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination.

Signed-off-by: Jouni Malinen <email address hidden>

140f0c5... by Simon Fels on 2017-03-08

UBUNTU: WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is

33f2c97... by Jouni Malinen <email address hidden> on 2015-04-29

UBUNTU: D-Bus: Fix operations when P2P management interface is used

Commit 21efc940f6e7f07b84b7e5c5867f3d81594c4fb0 ('wpa_supplicant: Do not
register a P2P management interface on DBus') hides the special P2P
management interface from D-Bus. However, it did not take into account
the possibility of wpa_s->dbus_path and wpa_s->dbus_new_path being NULL
in such cases on number of code paths within the D-Bus handlers. This
could result in invalid arguments (NULL path) being provided to D-Bus
functions (mainly, dbus_message_iter_append_basic) and NULL pointer
dereference when iterating over all interfaces. Either of these could
make wpa_supplicant process terminate.

Fix this by explicitly checking that the interface-specific D-Bus path
has been registered before using it anywhere with D-Bus handlers. In
addition, find the correct wpa_s instance to fix P2P operations through
D-Bus when the P2P Device interface is used.

Signed-off-by: Jouni Malinen <email address hidden>

BugLink: https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1482439

7f09797... by Mathieu Trudel-Lapierre on 2017-03-08

UBUNTU: Add SetInterfaceFirmware method for hybris firmware changes

Allow system services to request a firmware mode change for hybris devices
from wpasupplicant; this is used on some Android devices to enable AP mode
or Wifi-Direct/P2P support.