On 21 September 2016 at 03:47, Zhixiong Chi <zhixiong....@windriver.com> wrote:
> +From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001 > +From: Jouni Malinen <jo...@qca.qualcomm.com> > +Date: Fri, 4 Mar 2016 17:20:18 +0200 > +Subject: [PATCH 1/2] WPS: Reject a Credential with invalid passphrase > + > +WPA/WPA2-Personal passphrase is not allowed to include control > +characters. Reject a Credential received from a WPS Registrar both as > +STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or > +WPA2PSK authentication type and includes an invalid passphrase. > + > +This fixes an issue where hostapd or wpa_supplicant could have updated > +the configuration file PSK/passphrase parameter with arbitrary data from > +an external device (Registrar) that may not be fully trusted. Should > +such data include a newline character, the resulting configuration file > +could become invalid and fail to be parsed. > + > +Upstream-Status: Backport > + > +Signed-off-by: Jouni Malinen <jo...@qca.qualcomm.com> > Please add your own s-o-b to the patch header, and as it fixes a CVE then a CVE tag (CVE: CVE-2016-4476) too. Ross
-- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
