Created attachment 640395 [details]
0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch

via oss-sec: http://seclists.org/oss-sec/2015/q3/65

Incomplete WPS and P2P NFC NDEF record payload length validation

Published: July 8, 2015
The latest version available from: http://w1.fi/security/2015-5/


Vulnerability

A vulnerability was found in NDEF record parsing implementation in
hostapd and wpa_supplicant. This code is used when an NFC Tag or NFC
connection handover is used to trigger WPS or P2P operations. The parser
did include bounds checking for the NDEF record payload length, but due
to insufficient integer size, it was possible to trigger integer
overflow that would result in bypassing the validation step with some
malformed NDEF records.

This could result in denial of service due to hostapd/wpa_supplicant
process termination (buffer read overflow) or infinite loop. The issue
can be triggered only if the NFC stack on the device does not perform
required validation steps for received NFC messages before sending the
received message to hostapd/wpa_supplicant for processing.

It was possible for the 32-bit record->total_length value to end up
wrapping around due to integer overflow if the longer form of payload
length field is used and record->payload_length gets a value close to
2^32. This could result in ndef_parse_record() accepting a too large
payload length value and the record type filter reading up to about 20
bytes beyond the end of the buffer and potentially killing the process.
This could also result in an attempt to allocate close to 2^32 bytes of
heap memory and if that were to succeed, a buffer read overflow of the
same length which would most likely result in the process termination.
In case of record->total_length ending up getting the value 0, there
would be no buffer read overflow, but record parsing would result in an
infinite loop in ndef_parse_records().

Any of these error cases could potentially be used for denial of service
attacks over NFC by using a malformed NDEF record on an NFC Tag or
sending them during NFC connection handover if the application providing
the NDEF message to hostapd/wpa_supplicant did no validation of the
received NDEF records. While such validation is likely done in the NFC
stack that needs to parse the NFC messages before further processing,
hostapd/wpa_supplicant should have (re)confirmed NDEF message validity
properly.


Vulnerable versions/configurations

hostapd v0.7.0-v2.4 with CONFIG_WPS_NFC=y in the build configuration
(hostapd/.config) and NFC NDEF records passed to hostapd by the NFC
stack without validation.

wpa_supplicant v0.7.0-v2.4 with CONFIG_WPS_NFC=y in the build
configuration (wpa_supplicant/.config) and NFC NDEF records passed to
wpa_supplicant by the NFC stack without validation.

Note: No NFC stack implementation has yet been identified with
capability to pass the malformed NDEF record to
hostapd/wpa_supplicant. As such, it is not known whether this issue can
be triggered in practice.

Alternatively to an actual NFC operation trigger, the malformed NDEF
records could be provided by other applications running on the same
device if access to the hostapd/wpa_supplicant control interface is
available to untrusted components or users.


Acknowledgments

Coverity Scan discovered parts of this issue (insecure data
handling/TAINTED_SCALAR) and was the trigger for further manual review
of the parsing routine.


Possible mitigation steps

- Merge the following commit and rebuild hostapd/wpa_supplicant:

  NFC: Fix payload length validation in NDEF record parser

  This patch is available from http://w1.fi/security/2015-5/

- Update to hostapd/wpa_supplicant v2.5 or newer, once available

- Remove CONFIG_WPS_NFC=y from build configuration

- Confirm that the NFC stack does sufficient validation of the received
  NDEF records before passing them to hostapd/wpa_supplicant