wpa-supplicant: fix CVE-2019-16275

(From OE-Core rev: 4b764c25d7396cba41c28c66a78a7a8f0ea3a5be) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2020-01-17 19:14:21 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-01-28 11:15:01 +0000
commit: eb25d2fc66d6593a0e4807a7e6b812db5dc7d204 (patch)
tree: 091c2590d95711a84c76f55c9c68ed8b1576ef28
parent: 441f31d02f049d7519071f3e2175b91e4b59237d (diff)
download: poky-eb25d2fc66d6593a0e4807a7e6b812db5dc7d204.tar.gz
2 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
new file mode 100644
index 0000000000..7b0713cf6d
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
@@ -0,0 +1,82 @@
+hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication
+of disconnection in certain situations because source address validation is
+mishandled. This is a denial of service that should have been prevented by PMF
+(aka management frame protection). The attacker must send a crafted 802.11 frame
+from a location that is within the 802.11 communications range.
+CVE: CVE-2019-16275
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c    | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+                           "hostapd_notif_assoc: Skip event with no address");
+                return -1;
+        }
+
+       if (is_multicast_ether_addr(addr) ||
+           is_zero_ether_addr(addr) ||
+           os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
+               /* Do not process any frames with unexpected/invalid SA so that
+                * we do not add any state for unexpected STA addresses or end
+                * up sending out frames to unexpected destination. */
+               wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
+                          " in received indication - ignore this indication silently",
+                          __func__, MAC2STR(addr));
+               return 0;
+       }
+
+        random_add_randomness(addr, ETH_ALEN);
+ 
+        hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+        fc = le_to_host16(mgmt->frame_control);
+        stype = WLAN_FC_GET_STYPE(fc);
+ 
+       if (is_multicast_ether_addr(mgmt->sa) ||
+           is_zero_ether_addr(mgmt->sa) ||
+           os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
+               /* Do not process any frames with unexpected/invalid SA so that
+                * we do not add any state for unexpected STA addresses or end
+                * up sending out frames to unexpected destination. */
+               wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
+                          " in received frame - ignore this frame silently",
+                          MAC2STR(mgmt->sa));
+               return 0;
+       }
+
+        if (stype == WLAN_FC_STYPE_BEACON) {
+                handle_beacon(hapd, mgmt, len, fi);
+                return 1;
+-- 
+2.20.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb
index 277bbaec63..542bbf4a9a 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb
@@ -41,6 +41,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz  \
           file://0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch \
           file://0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch \
           file://0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch \
+           file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \
          "
 SRC_URI[md5sum] = "a68538fb62766f40f890125026c42c10"
 SRC_URI[sha256sum] = "76ea6b06b7a2ea8e6d9eb1a9166166f1656e6d48c7508914f592100c95c73074"
author	Ross Burton <ross.burton@intel.com>	2020-01-17 19:14:21 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +0000
commit	eb25d2fc66d6593a0e4807a7e6b812db5dc7d204 (patch)
tree	091c2590d95711a84c76f55c9c68ed8b1576ef28
parent	441f31d02f049d7519071f3e2175b91e4b59237d (diff)
download	poky-eb25d2fc66d6593a0e4807a7e6b812db5dc7d204.tar.gz

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch new file mode 100644 index 0000000000..7b0713cf6d --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
@@ -0,0 +1,82 @@
		1	hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication
		2	of disconnection in certain situations because source address validation is
		3	mishandled. This is a denial of service that should have been prevented by PMF
		4	(aka management frame protection). The attacker must send a crafted 802.11 frame
		5	from a location that is within the 802.11 communications range.
		6
		7	CVE: CVE-2019-16275
		8	Upstream-Status: Backport
		9	Signed-off-by: Ross Burton <ross.burton@intel.com>
		10
		11	From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
		12	From: Jouni Malinen <j@w1.fi>
		13	Date: Thu, 29 Aug 2019 11:52:04 +0300
		14	Subject: [PATCH] AP: Silently ignore management frame from unexpected source
		15	address
		16
		17	Do not process any received Management frames with unexpected/invalid SA
		18	so that we do not add any state for unexpected STA addresses or end up
		19	sending out frames to unexpected destination. This prevents unexpected
		20	sequences where an unprotected frame might end up causing the AP to send
		21	out a response to another device and that other device processing the
		22	unexpected response.
		23
		24	In particular, this prevents some potential denial of service cases
		25	where the unexpected response frame from the AP might result in a
		26	connected station dropping its association.
		27
		28	Signed-off-by: Jouni Malinen <j@w1.fi>
		29	---
		30	src/ap/drv_callbacks.c \| 13 +++++++++++++
		31	src/ap/ieee802_11.c \| 12 ++++++++++++
		32	2 files changed, 25 insertions(+)
		33
		34	diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
		35	index 31587685fe3b..34ca379edc3d 100644
		36	--- a/src/ap/drv_callbacks.c
		37	+++ b/src/ap/drv_callbacks.c
		38	@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data hapd, const u8 addr,
		39	"hostapd_notif_assoc: Skip event with no address");
		40	return -1;
		41	}
		42	+
		43	+ if (is_multicast_ether_addr(addr) \|\|
		44	+ is_zero_ether_addr(addr) \|\|
		45	+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
		46	+ /* Do not process any frames with unexpected/invalid SA so that
		47	+ * we do not add any state for unexpected STA addresses or end
		48	+ * up sending out frames to unexpected destination. */
		49	+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
		50	+ " in received indication - ignore this indication silently",
		51	+ __func__, MAC2STR(addr));
		52	+ return 0;
		53	+ }
		54	+
		55	random_add_randomness(addr, ETH_ALEN);
		56
		57	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
		58	diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
		59	index c85a28db44b7..e7065372e158 100644
		60	--- a/src/ap/ieee802_11.c
		61	+++ b/src/ap/ieee802_11.c
		62	@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data hapd, const u8 buf, size_t len,
		63	fc = le_to_host16(mgmt->frame_control);
		64	stype = WLAN_FC_GET_STYPE(fc);
		65
		66	+ if (is_multicast_ether_addr(mgmt->sa) \|\|
		67	+ is_zero_ether_addr(mgmt->sa) \|\|
		68	+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
		69	+ /* Do not process any frames with unexpected/invalid SA so that
		70	+ * we do not add any state for unexpected STA addresses or end
		71	+ * up sending out frames to unexpected destination. */
		72	+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
		73	+ " in received frame - ignore this frame silently",
		74	+ MAC2STR(mgmt->sa));
		75	+ return 0;
		76	+ }
		77	+
		78	if (stype == WLAN_FC_STYPE_BEACON) {
		79	handle_beacon(hapd, mgmt, len, fi);
		80	return 1;
		81	--
		82	2.20.1


diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb index 277bbaec63..542bbf4a9a 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb
@@ -41,6 +41,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
41	file://0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch \	41	file://0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch \
42	file://0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch \	42	file://0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch \
43	file://0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch \	43	file://0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch \
		44	file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \
44	"	45	"
45	SRC_URI[md5sum] = "a68538fb62766f40f890125026c42c10"	46	SRC_URI[md5sum] = "a68538fb62766f40f890125026c42c10"
46	SRC_URI[sha256sum] = "76ea6b06b7a2ea8e6d9eb1a9166166f1656e6d48c7508914f592100c95c73074"	47	SRC_URI[sha256sum] = "76ea6b06b7a2ea8e6d9eb1a9166166f1656e6d48c7508914f592100c95c73074"