EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP peer) was discovered not to validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to NULL pointer dereference.
Created wpa_supplicant tracking bugs for this issue: Affects: fedora-all [bug 1703418]
References: https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt
Upstream patches: https://w1.fi/cgit/hostap/commit/?id=d2d1a324ce937628e4d9d9999fe113819b7d4478 https://w1.fi/cgit/hostap/commit/?id=fe76f487e28bdc61940f304f153a954cf36935ea
External References: https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt
Created hostapd tracking bugs for this issue: Affects: epel-all [bug 1712959] Affects: fedora-all [bug 1712958]
Statement: This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5, and 6 as they did not include support for EAP-pwd. This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 7, and 8 as they are not compiled with EAP-pwd enabled. In particular, the CONFIG_EAP_PWD=y option is not set at compile time.