2 files changed, 80 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-16275.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-16275.patch
new file mode 100644
index 0000000000..9cefd4f2ad
--- /dev/null
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-16275.patch
@@ -0,0 +1,79 @@
+From d86d66dc073bc21d3b12faf4112062ae00c1773f Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: AP: Silently ignore management frame from unexpected source
+address
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+Upstream-Status: Accepted
+CVE: CVE-2019-16275
+Reference to upstream patch:
+https://w1.fi/cgit/hostap/commit/?id=d86d66dc073bc21d3b12faf4112062ae00c1773f
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c    | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 3158768..34ca379 100644
+--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+                           "hostapd_notif_assoc: Skip event with no address");
+                return -1;
+        }
+
+       if (is_multicast_ether_addr(addr) ||
+           is_zero_ether_addr(addr) ||
+           os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
+               /* Do not process any frames with unexpected/invalid SA so that
+                * we do not add any state for unexpected STA addresses or end
+                * up sending out frames to unexpected destination. */
+               wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
+                          " in received indication - ignore this indication silently",
+                          __func__, MAC2STR(addr));
+               return 0;
+       }
+
+        random_add_randomness(addr, ETH_ALEN);
+ 
+        hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28d..2816812 100644
+--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+        fc = le_to_host16(mgmt->frame_control);
+        stype = WLAN_FC_GET_STYPE(fc);
+ 
+       if (is_multicast_ether_addr(mgmt->sa) ||
+           is_zero_ether_addr(mgmt->sa) ||
+           os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
+               /* Do not process any frames with unexpected/invalid SA so that
+                * we do not add any state for unexpected STA addresses or end
+                * up sending out frames to unexpected destination. */
+               wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
+                          " in received frame - ignore this frame silently",
+                          MAC2STR(mgmt->sa));
+               return 0;
+       }
+
+        if (stype == WLAN_FC_STYPE_BEACON) {
+                handle_beacon(hapd, mgmt, len, fi);
+                return 1;
+-- 
+2.17.1
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
index 982514f5df..68dc123702 100644
--- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
@@ -11,6 +11,7 @@ SRC_URI = " \
    file://defconfig \
    file://init \
    file://hostapd.service \
+    file://CVE-2019-16275.patch \
 "
 SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8"

diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-16275.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-16275.patch new file mode 100644 index 0000000000..9cefd4f2ad --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-16275.patch
@@ -0,0 +1,79 @@
		1	From d86d66dc073bc21d3b12faf4112062ae00c1773f Mon Sep 17 00:00:00 2001
		2	From: Jouni Malinen <j@w1.fi>
		3	Date: Thu, 29 Aug 2019 11:52:04 +0300
		4	Subject: AP: Silently ignore management frame from unexpected source
		5	address
		6
		7	Do not process any received Management frames with unexpected/invalid SA
		8	so that we do not add any state for unexpected STA addresses or end up
		9	sending out frames to unexpected destination. This prevents unexpected
		10	sequences where an unprotected frame might end up causing the AP to send
		11	out a response to another device and that other device processing the
		12	unexpected response.
		13
		14	In particular, this prevents some potential denial of service cases
		15	where the unexpected response frame from the AP might result in a
		16	connected station dropping its association.
		17
		18	Upstream-Status: Accepted
		19	CVE: CVE-2019-16275
		20
		21	Reference to upstream patch:
		22	https://w1.fi/cgit/hostap/commit/?id=d86d66dc073bc21d3b12faf4112062ae00c1773f
		23
		24	Signed-off-by: Jouni Malinen <j@w1.fi>
		25	---
		26	src/ap/drv_callbacks.c \| 13 +++++++++++++
		27	src/ap/ieee802_11.c \| 12 ++++++++++++
		28	2 files changed, 25 insertions(+)
		29
		30	diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
		31	index 3158768..34ca379 100644
		32	--- a/src/ap/drv_callbacks.c
		33	+++ b/src/ap/drv_callbacks.c
		34	@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data hapd, const u8 addr,
		35	"hostapd_notif_assoc: Skip event with no address");
		36	return -1;
		37	}
		38	+
		39	+ if (is_multicast_ether_addr(addr) \|\|
		40	+ is_zero_ether_addr(addr) \|\|
		41	+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
		42	+ /* Do not process any frames with unexpected/invalid SA so that
		43	+ * we do not add any state for unexpected STA addresses or end
		44	+ * up sending out frames to unexpected destination. */
		45	+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
		46	+ " in received indication - ignore this indication silently",
		47	+ __func__, MAC2STR(addr));
		48	+ return 0;
		49	+ }
		50	+
		51	random_add_randomness(addr, ETH_ALEN);
		52
		53	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
		54	diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
		55	index c85a28d..2816812 100644
		56	--- a/src/ap/ieee802_11.c
		57	+++ b/src/ap/ieee802_11.c
		58	@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data hapd, const u8 buf, size_t len,
		59	fc = le_to_host16(mgmt->frame_control);
		60	stype = WLAN_FC_GET_STYPE(fc);
		61
		62	+ if (is_multicast_ether_addr(mgmt->sa) \|\|
		63	+ is_zero_ether_addr(mgmt->sa) \|\|
		64	+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
		65	+ /* Do not process any frames with unexpected/invalid SA so that
		66	+ * we do not add any state for unexpected STA addresses or end
		67	+ * up sending out frames to unexpected destination. */
		68	+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
		69	+ " in received frame - ignore this frame silently",
		70	+ MAC2STR(mgmt->sa));
		71	+ return 0;
		72	+ }
		73	+
		74	if (stype == WLAN_FC_STYPE_BEACON) {
		75	handle_beacon(hapd, mgmt, len, fi);
		76	return 1;
		77	--
		78	2.17.1
		79


diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb index 982514f5df..68dc123702 100644 --- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb +++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
@@ -11,6 +11,7 @@ SRC_URI = " \
11	file://defconfig \	11	file://defconfig \
12	file://init \	12	file://init \
13	file://hostapd.service \	13	file://hostapd.service \
		14	file://CVE-2019-16275.patch \
14	"	15	"
15		16
16	SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8"	17	SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8"