# Patch for wpa_supplicant



## KNOStic (Apr 24, 2015)

There is a security issue with wpa_supplicant of note. I went looking for information on the FreeBSD.org site and apparently it hasn't been mitigated as yet. There is a patch available however which consists of a single line of code.

The information on CVE-2015-1863 can be found here:

http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt

The patch is quite simple in /usr/src/contrib/wpa/src/p2p/p2p.c as follows:


```
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
src/p2p/p2p.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index f584fae..a45fe73 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq,
   if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)
     os_memcpy(dev->interface_addr, addr, ETH_ALEN);
   if (msg.ssid &&
+    msg.ssid[1] <= sizeof(dev->oper_ssid) &&
    (msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
    os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
    != 0)) {
--
1.9.1
```

Be careful though, in the current 10.1 source, I found the location to be line 666. The one line of code mitigates the issue successfully.

Thought I would get the word out as quickly as possible as it affects all Unix systems which use wpa_supplicant from Linux to all BSD's to OS X. The linked to site also contains a copy of the patch I've included here as well.

Be safe!


----------



## junovitch@ (Apr 24, 2015)

Just had a look.  Bottom line is you're safe if you are using the defaults.

The P2P option is not on by default from upstream.  It's also not turned on in the FreeBSD base system in the Makefile for the software.  See the config options used here:
https://svnweb.freebsd.org/base/hea...pplicant/Makefile?revision=281806&view=markup

In ports, security/wpa_supplicant also does not set P2P on by default.

I'm working on the patch and PR for the port right now.  It feels more likely that someone customizing their wireless setup would use the port to have easily configurable options and the latest and greatest version.  I'm not sure about base yet but will get the PR in for ports first.


----------



## KNOStic (Apr 25, 2015)

Thanks for doing that! In our arrangement, we don't use the port but were concerned about the base system p2p.c as a "just in case." Glad to see that it isn't a default option given that a poorly-formed SSID could trigger this one. Thanks again.


----------



## junovitch@ (Apr 25, 2015)

For security/wpa_supplicant, PR 199678 had the update and was already closed.  Kudos to marino@ for the quick work.  I also submitted the security/vuxml update so `pkg audit` works but I'm not sure if he glanced over it in the noise since the PR was already closed.  I'll ping again tomorrow for that.

On to base... On a freshly updated 10.1-STABLE r281981 it just failed to build with the P2P option turned on.  So I would venture to guess if anyone was using P2P for real that they would have noticed and it would at least compile.  10.1 is currently using wpa_supplicant 2.0. The patch will probably be fine for 11.0-CURRENT as that was just updated to wpa_supplicant 2.4.  I looked at 9.3-STABLE and 8.4-STABLE and that was wpa_supplicant 0.7.3 and 0.6.8 per the SVN logs, which are both earlier versions then the one listed as impacted in security advisory.

EDIT:
Deleted comment about turning on P2P being broken.  I'm almost certain this was my user error as it doesn't seem to be as simple as setting the CONFIG_P2P flag.


----------



## KNOStic (Apr 26, 2015)

Thanks for the additional checkouts, Jason!


----------



## Zer0P (Apr 26, 2015)

The fix is already in HardenedBSD: https://github.com/HardenedBSD/hardenedBSD/commit/6776d2a1a7a85efc530973eed6ead15b6674dc6c and https://github.com/HardenedBSD/hardenedBSD/commit/e8637bb34a522de516e86e92b9efdb1e1c1964cd .

And I was already mentioned this issue to rpaulo@ on FreeBSD-current list.


----------



## junovitch@ (Apr 26, 2015)

Thanks, Zer0P. I opened PR 199721 earlier this afternoon with patches for base and had put rpaulo@ on the CC list.  The security/wpa_supplicant port had been patched already yesterday and I worked with marino@ this morning to get the security/vuxml entry in place to flag the old version.


----------

