MFC eeb26cf52c4c51e1571253d57684c442aa79a98d:

wpa: import fix for P2P provision discovery processing vulnerability

Latest version available from: https://w1.fi/security/2021-1/

Vulnerability

A vulnerability was discovered in how wpa_supplicant processes P2P
(Wi-Fi Direct) provision discovery requests. Under a corner case
condition, an invalid Provision Discovery Request frame could end up
reaching a state where the oldest peer entry needs to be removed. With
a suitably constructed invalid frame, this could result in use
(read+write) of freed memory. This can result in an attacker within
radio range of the device running P2P discovery being able to cause
unexpected behavior, including termination of the wpa_supplicant process
and potentially code execution.

Vulnerable versions/configurations

wpa_supplicant v1.0-v2.9 with CONFIG_P2P build option enabled

An attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a set of suitably
constructed management frames that trigger the corner case to be reached
in the management of the P2P peer table.

Note: FreeBSD base does not enable P2P.
(cherry picked from commit eeb26cf52c4c51e1571253d57684c442aa79a98d)

1 files changed, 5 insertions, 7 deletions

diff --git a/contrib/wpa/src/p2p/p2p_pd.c b/contrib/wpa/src/p2p/p2p_pd.c
index 3994ec03f86b..05fd593494ef 100644
--- a/contrib/wpa/src/p2p/p2p_pd.c
+++ b/contrib/wpa/src/p2p/p2p_pd.c
@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
 			goto out;
 		}
 
+		dev = p2p_get_device(p2p, sa);
 		if (!dev) {
-			dev = p2p_get_device(p2p, sa);
-			if (!dev) {
-				p2p_dbg(p2p,
-					"Provision Discovery device not found "
-					MACSTR, MAC2STR(sa));
-				goto out;
-			}
+			p2p_dbg(p2p,
+				"Provision Discovery device not found "
+				MACSTR, MAC2STR(sa));
+			goto out;
 		}
 	} else if (msg.wfd_subelems) {
 		wpabuf_free(dev->info.wfd_subelems);