summaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-connectivity/hostapd
diff options
context:
space:
mode:
authorwangmy <wangmy@fujitsu.com>2022-01-25 21:19:02 +0800
committerKhem Raj <raj.khem@gmail.com>2022-01-25 10:56:04 -0800
commit16bda7854217d4665e98a736476c117ad2d26802 (patch)
tree557f3ea13b7252a70082df06bbaeb3318f5bffff /meta-oe/recipes-connectivity/hostapd
parent985385ff73c2d06bf72f2c41805c823437d44ecb (diff)
downloadmeta-openembedded-16bda7854217d4665e98a736476c117ad2d26802.tar.gz
hostapd: upgrade 2.9 -> 2.10
0001-Prepare-for-CVE-2021-30004.patch.patch CVE-2019-16275.patch CVE-2019-5061.patch CVE-2021-0326.patch CVE-2021-27803.patch CVE-2021-30004.patch removed since they're included in 2.10 License-Update: year updated to 2022. Changelog: ========= * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added option send SAE Confirm immediately (sae_config_immediate=1) after SAE Commit - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2) - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed WPS UPnP SUBSCRIBE handling of invalid operations [https://w1.fi/security/2020-1/] * fixed PMF disconnection protection bypass [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * fixed various issues in experimental support for EAP-TEAP server * added configuration (max_auth_rounds, max_auth_rounds_short) to increase the maximum number of EAP message exchanges (mainly to support cases with very large certificates) for the EAP server * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * extended HE (IEEE 802.11ax) support, including 6 GHz support * removed obsolete IAPP functionality * fixed EAP-FAST server with TLS GCM/CCM ciphers * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible; owe_ptk_workaround=1 can be used to enabled a a workaround for the group 20/21 backwards compatibility * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * added support for PASN * added EAP-TLS server support for TLS 1.3 (disabled by default for now) * a large number of other fixes, cleanup, and extensions Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-oe/recipes-connectivity/hostapd')
-rw-r--r--meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch45
-rw-r--r--meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-16275.patch79
-rw-r--r--meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch854
-rw-r--r--meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch43
-rw-r--r--meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch54
-rw-r--r--meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch123
-rw-r--r--meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb (renamed from meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb)12
7 files changed, 3 insertions, 1207 deletions
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch
deleted file mode 100644
index 1bedb4f753..0000000000
--- a/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch
+++ /dev/null
@@ -1,45 +0,0 @@
1From 14fab0772db19297c82dd1b8612c9335369dce41 Mon Sep 17 00:00:00 2001
2From: Alexander Vickberg <wickbergster@gmail.com>
3Date: Mon, 17 May 2021 17:54:13 +0200
4Subject: [PATCH] Prepare for CVE-2021-30004.patch
5
6Without this building fails for CONFIG_TLS=internal
7
8Signed-off-by: Alexander Vickberg <wickbergster@gmail.com>
9---
10 src/tls/asn1.h | 6 ++++++
11 src/utils/includes.h | 1 +
12 2 files changed, 7 insertions(+)
13
14diff --git a/src/tls/asn1.h b/src/tls/asn1.h
15index 6bd7df5..77b94ef 100644
16--- a/src/tls/asn1.h
17+++ b/src/tls/asn1.h
18@@ -66,6 +66,12 @@ void asn1_oid_to_str(const struct asn1_oid *oid, char *buf, size_t len);
19 unsigned long asn1_bit_string_to_long(const u8 *buf, size_t len);
20 int asn1_oid_equal(const struct asn1_oid *a, const struct asn1_oid *b);
21
22+static inline bool asn1_is_null(const struct asn1_hdr *hdr)
23+{
24+ return hdr->class == ASN1_CLASS_UNIVERSAL &&
25+ hdr->tag == ASN1_TAG_NULL;
26+}
27+
28 extern struct asn1_oid asn1_sha1_oid;
29 extern struct asn1_oid asn1_sha256_oid;
30
31diff --git a/src/utils/includes.h b/src/utils/includes.h
32index 75513fc..741fc9c 100644
33--- a/src/utils/includes.h
34+++ b/src/utils/includes.h
35@@ -18,6 +18,7 @@
36
37 #include <stdlib.h>
38 #include <stddef.h>
39+#include <stdbool.h>
40 #include <stdio.h>
41 #include <stdarg.h>
42 #include <string.h>
43--
442.25.1
45
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-16275.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-16275.patch
deleted file mode 100644
index 9cefd4f2ad..0000000000
--- a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-16275.patch
+++ /dev/null
@@ -1,79 +0,0 @@
1From d86d66dc073bc21d3b12faf4112062ae00c1773f Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <j@w1.fi>
3Date: Thu, 29 Aug 2019 11:52:04 +0300
4Subject: AP: Silently ignore management frame from unexpected source
5address
6
7Do not process any received Management frames with unexpected/invalid SA
8so that we do not add any state for unexpected STA addresses or end up
9sending out frames to unexpected destination. This prevents unexpected
10sequences where an unprotected frame might end up causing the AP to send
11out a response to another device and that other device processing the
12unexpected response.
13
14In particular, this prevents some potential denial of service cases
15where the unexpected response frame from the AP might result in a
16connected station dropping its association.
17
18Upstream-Status: Accepted
19CVE: CVE-2019-16275
20
21Reference to upstream patch:
22https://w1.fi/cgit/hostap/commit/?id=d86d66dc073bc21d3b12faf4112062ae00c1773f
23
24Signed-off-by: Jouni Malinen <j@w1.fi>
25---
26 src/ap/drv_callbacks.c | 13 +++++++++++++
27 src/ap/ieee802_11.c | 12 ++++++++++++
28 2 files changed, 25 insertions(+)
29
30diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
31index 3158768..34ca379 100644
32--- a/src/ap/drv_callbacks.c
33+++ b/src/ap/drv_callbacks.c
34@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
35 "hostapd_notif_assoc: Skip event with no address");
36 return -1;
37 }
38+
39+ if (is_multicast_ether_addr(addr) ||
40+ is_zero_ether_addr(addr) ||
41+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
42+ /* Do not process any frames with unexpected/invalid SA so that
43+ * we do not add any state for unexpected STA addresses or end
44+ * up sending out frames to unexpected destination. */
45+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
46+ " in received indication - ignore this indication silently",
47+ __func__, MAC2STR(addr));
48+ return 0;
49+ }
50+
51 random_add_randomness(addr, ETH_ALEN);
52
53 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
54diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
55index c85a28d..2816812 100644
56--- a/src/ap/ieee802_11.c
57+++ b/src/ap/ieee802_11.c
58@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
59 fc = le_to_host16(mgmt->frame_control);
60 stype = WLAN_FC_GET_STYPE(fc);
61
62+ if (is_multicast_ether_addr(mgmt->sa) ||
63+ is_zero_ether_addr(mgmt->sa) ||
64+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
65+ /* Do not process any frames with unexpected/invalid SA so that
66+ * we do not add any state for unexpected STA addresses or end
67+ * up sending out frames to unexpected destination. */
68+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
69+ " in received frame - ignore this frame silently",
70+ MAC2STR(mgmt->sa));
71+ return 0;
72+ }
73+
74 if (stype == WLAN_FC_STYPE_BEACON) {
75 handle_beacon(hapd, mgmt, len, fi);
76 return 1;
77--
782.17.1
79
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch
deleted file mode 100644
index 9214615d12..0000000000
--- a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch
+++ /dev/null
@@ -1,854 +0,0 @@
1From 018edec9b2bd3db20605117c32ff79c1e625c432 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <j@w1.fi>
3Date: Wed, 11 Sep 2019 12:34:28 +0300
4Subject: [PATCH] Remove IAPP functionality from hostapd
5
6IEEE Std 802.11F-2003 was withdrawn in 2006 and as such it has not been
7maintained nor is there any expectation of the withdrawn trial-use
8recommended practice to be maintained in the future. Furthermore,
9implementation of IAPP in hostapd was not complete, i.e., only parts of
10the recommended practice were included. The main item of some real use
11long time ago was the Layer 2 Update frame to update bridges when a STA
12roams within an ESS, but that functionality has, in practice, been moved
13to kernel drivers to provide better integration with the networking
14stack.
15
16CVE: CVE-2019-5061
17
18Upstream-Status: Backport
19
20Signed-off-by: Jouni Malinen <j@w1.fi>
21Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
22---
23 hostapd/Android.mk | 5 -
24 hostapd/Makefile | 5 -
25 hostapd/android.config | 3 -
26 hostapd/config_file.c | 3 +-
27 hostapd/defconfig | 3 -
28 hostapd/hostapd.conf | 6 -
29 hostapd/main.c | 3 -
30 src/ap/Makefile | 2 -
31 src/ap/ap_config.h | 4 -
32 src/ap/hostapd.c | 14 -
33 src/ap/hostapd.h | 2 -
34 src/ap/iapp.c | 542 ----------------------
35 src/ap/iapp.h | 39 --
36 src/utils/wpa_debug.h | 1 -
37 14 files changed, 1 insertion(+), 633 deletions(-)
38 delete mode 100644 src/ap/iapp.c
39 delete mode 100644 src/ap/iapp.h
40
41diff --git a/hostapd/Android.mk b/hostapd/Android.mk
42index 3183323ef..a87ac8144 100644
43--- a/hostapd/Android.mk
44+++ b/hostapd/Android.mk
45@@ -205,11 +205,6 @@ endif
46
47 L_CFLAGS += -DCONFIG_CTRL_IFACE -DCONFIG_CTRL_IFACE_UNIX
48
49-ifdef CONFIG_IAPP
50-L_CFLAGS += -DCONFIG_IAPP
51-OBJS += src/ap/iapp.c
52-endif
53-
54 ifdef CONFIG_RSN_PREAUTH
55 L_CFLAGS += -DCONFIG_RSN_PREAUTH
56 CONFIG_L2_PACKET=y
57diff --git a/hostapd/Makefile b/hostapd/Makefile
58index f7f4c785b..42bb9e4c8 100644
59--- a/hostapd/Makefile
60+++ b/hostapd/Makefile
61@@ -248,11 +248,6 @@ ifndef CONFIG_NO_CTRL_IFACE
62 CFLAGS += -DCONFIG_CTRL_IFACE
63 endif
64
65-ifdef CONFIG_IAPP
66-CFLAGS += -DCONFIG_IAPP
67-OBJS += ../src/ap/iapp.o
68-endif
69-
70 ifdef CONFIG_RSN_PREAUTH
71 CFLAGS += -DCONFIG_RSN_PREAUTH
72 CONFIG_L2_PACKET=y
73diff --git a/hostapd/android.config b/hostapd/android.config
74index efe252332..e2e6c7821 100644
75--- a/hostapd/android.config
76+++ b/hostapd/android.config
77@@ -38,9 +38,6 @@ CONFIG_DRIVER_NL80211_QCA=y
78 # Driver interface for no driver (e.g., RADIUS server only)
79 #CONFIG_DRIVER_NONE=y
80
81-# IEEE 802.11F/IAPP
82-#CONFIG_IAPP=y
83-
84 # WPA2/IEEE 802.11i RSN pre-authentication
85 #CONFIG_RSN_PREAUTH=y
86
87diff --git a/hostapd/config_file.c b/hostapd/config_file.c
88index 680f17ee0..0d340d252 100644
89--- a/hostapd/config_file.c
90+++ b/hostapd/config_file.c
91@@ -2712,8 +2712,7 @@ static int hostapd_config_fill(struct hostapd_config *conf,
92 bss->eapol_key_index_workaround = atoi(pos);
93 #ifdef CONFIG_IAPP
94 } else if (os_strcmp(buf, "iapp_interface") == 0) {
95- bss->ieee802_11f = 1;
96- os_strlcpy(bss->iapp_iface, pos, sizeof(bss->iapp_iface));
97+ wpa_printf(MSG_INFO, "DEPRECATED: iapp_interface not used");
98 #endif /* CONFIG_IAPP */
99 } else if (os_strcmp(buf, "own_ip_addr") == 0) {
100 if (hostapd_parse_ip_addr(pos, &bss->own_ip_addr)) {
101diff --git a/hostapd/defconfig b/hostapd/defconfig
102index b1fb56c3b..1a3d9f9ba 100644
103--- a/hostapd/defconfig
104+++ b/hostapd/defconfig
105@@ -44,9 +44,6 @@ CONFIG_LIBNL32=y
106 # Driver interface for no driver (e.g., RADIUS server only)
107 #CONFIG_DRIVER_NONE=y
108
109-# IEEE 802.11F/IAPP
110-CONFIG_IAPP=y
111-
112 # WPA2/IEEE 802.11i RSN pre-authentication
113 CONFIG_RSN_PREAUTH=y
114
115diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
116index 6c96a760a..a3c698480 100644
117--- a/hostapd/hostapd.conf
118+++ b/hostapd/hostapd.conf
119@@ -41,7 +41,6 @@ interface=wlan0
120 # bit 2 (4) = RADIUS
121 # bit 3 (8) = WPA
122 # bit 4 (16) = driver interface
123-# bit 5 (32) = IAPP
124 # bit 6 (64) = MLME
125 #
126 # Levels (minimum value for logged events):
127@@ -1243,11 +1242,6 @@ eap_server=0
128 # Whether to enable ERP on the EAP server.
129 #eap_server_erp=1
130
131-##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) #######################
132-
133-# Interface to be used for IAPP broadcast packets
134-#iapp_interface=eth0
135-
136
137 ##### RADIUS client configuration #############################################
138 # for IEEE 802.1X with external Authentication Server, IEEE 802.11
139diff --git a/hostapd/main.c b/hostapd/main.c
140index 08896ffe2..8bfe24281 100644
141--- a/hostapd/main.c
142+++ b/hostapd/main.c
143@@ -81,9 +81,6 @@ static void hostapd_logger_cb(void *ctx, const u8 *addr, unsigned int module,
144 case HOSTAPD_MODULE_DRIVER:
145 module_str = "DRIVER";
146 break;
147- case HOSTAPD_MODULE_IAPP:
148- module_str = "IAPP";
149- break;
150 case HOSTAPD_MODULE_MLME:
151 module_str = "MLME";
152 break;
153diff --git a/src/ap/Makefile b/src/ap/Makefile
154index bd3f33b77..54e48a0dd 100644
155--- a/src/ap/Makefile
156+++ b/src/ap/Makefile
157@@ -18,7 +18,6 @@ CFLAGS += -DCONFIG_IEEE80211R_AP
158 CFLAGS += -DCONFIG_WPS
159 CFLAGS += -DCONFIG_PROXYARP
160 CFLAGS += -DCONFIG_IPV6
161-CFLAGS += -DCONFIG_IAPP
162 CFLAGS += -DCONFIG_AIRTIME_POLICY
163
164 LIB_OBJS= \
165@@ -41,7 +40,6 @@ LIB_OBJS= \
166 hostapd.o \
167 hs20.o \
168 hw_features.o \
169- iapp.o \
170 ieee802_11_auth.o \
171 ieee802_11.o \
172 ieee802_11_ht.o \
173diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
174index e219160b0..17eb0682b 100644
175--- a/src/ap/ap_config.h
176+++ b/src/ap/ap_config.h
177@@ -325,10 +325,6 @@ struct hostapd_bss_config {
178 int erp_send_reauth_start;
179 char *erp_domain;
180
181- int ieee802_11f; /* use IEEE 802.11f (IAPP) */
182- char iapp_iface[IFNAMSIZ + 1]; /* interface used with IAPP broadcast
183- * frames */
184-
185 enum macaddr_acl {
186 ACCEPT_UNLESS_DENIED = 0,
187 DENY_UNLESS_ACCEPTED = 1,
188diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
189index ef988b634..bf7b1f89e 100644
190--- a/src/ap/hostapd.c
191+++ b/src/ap/hostapd.c
192@@ -28,7 +28,6 @@
193 #include "accounting.h"
194 #include "ap_list.h"
195 #include "beacon.h"
196-#include "iapp.h"
197 #include "ieee802_1x.h"
198 #include "ieee802_11_auth.h"
199 #include "vlan_init.h"
200@@ -361,8 +360,6 @@ static void hostapd_free_hapd_data(struct hostapd_data *hapd)
201 hapd->beacon_set_done = 0;
202
203 wpa_printf(MSG_DEBUG, "%s(%s)", __func__, hapd->conf->iface);
204- iapp_deinit(hapd->iapp);
205- hapd->iapp = NULL;
206 accounting_deinit(hapd);
207 hostapd_deinit_wpa(hapd);
208 vlan_deinit(hapd);
209@@ -1296,13 +1293,6 @@ static int hostapd_setup_bss(struct hostapd_data *hapd, int first)
210 return -1;
211 }
212
213- if (conf->ieee802_11f &&
214- (hapd->iapp = iapp_init(hapd, conf->iapp_iface)) == NULL) {
215- wpa_printf(MSG_ERROR, "IEEE 802.11F (IAPP) initialization "
216- "failed.");
217- return -1;
218- }
219-
220 #ifdef CONFIG_INTERWORKING
221 if (gas_serv_init(hapd)) {
222 wpa_printf(MSG_ERROR, "GAS server initialization failed");
223@@ -3056,10 +3046,6 @@ void hostapd_new_assoc_sta(struct hostapd_data *hapd, struct sta_info *sta,
224 hostapd_prune_associations(hapd, sta->addr);
225 ap_sta_clear_disconnect_timeouts(hapd, sta);
226
227- /* IEEE 802.11F (IAPP) */
228- if (hapd->conf->ieee802_11f)
229- iapp_new_station(hapd->iapp, sta);
230-
231 #ifdef CONFIG_P2P
232 if (sta->p2p_ie == NULL && !sta->no_p2p_set) {
233 sta->no_p2p_set = 1;
234diff --git a/src/ap/hostapd.h b/src/ap/hostapd.h
235index 5b859b8a9..2358d1664 100644
236--- a/src/ap/hostapd.h
237+++ b/src/ap/hostapd.h
238@@ -179,8 +179,6 @@ struct hostapd_data {
239 u64 acct_session_id;
240 struct radius_das_data *radius_das;
241
242- struct iapp_data *iapp;
243-
244 struct hostapd_cached_radius_acl *acl_cache;
245 struct hostapd_acl_query_data *acl_queries;
246
247diff --git a/src/ap/iapp.c b/src/ap/iapp.c
248deleted file mode 100644
249index 2556da30c..000000000
250--- a/src/ap/iapp.c
251+++ /dev/null
252@@ -1,542 +0,0 @@
253-/*
254- * hostapd / IEEE 802.11F-2003 Inter-Access Point Protocol (IAPP)
255- * Copyright (c) 2002-2007, Jouni Malinen <j@w1.fi>
256- *
257- * This software may be distributed under the terms of the BSD license.
258- * See README for more details.
259- *
260- * Note: IEEE 802.11F-2003 was a experimental use specification. It has expired
261- * and IEEE has withdrawn it. In other words, it is likely better to look at
262- * using some other mechanism for AP-to-AP communication than extending the
263- * implementation here.
264- */
265-
266-/* TODO:
267- * Level 1: no administrative or security support
268- * (e.g., static BSSID to IP address mapping in each AP)
269- * Level 2: support for dynamic mapping of BSSID to IP address
270- * Level 3: support for encryption and authentication of IAPP messages
271- * - add support for MOVE-notify and MOVE-response (this requires support for
272- * finding out IP address for previous AP using RADIUS)
273- * - add support for Send- and ACK-Security-Block to speedup IEEE 802.1X during
274- * reassociation to another AP
275- * - implement counters etc. for IAPP MIB
276- * - verify endianness of fields in IAPP messages; are they big-endian as
277- * used here?
278- * - RADIUS connection for AP registration and BSSID to IP address mapping
279- * - TCP connection for IAPP MOVE, CACHE
280- * - broadcast ESP for IAPP ADD-notify
281- * - ESP for IAPP MOVE messages
282- * - security block sending/processing
283- * - IEEE 802.11 context transfer
284- */
285-
286-#include "utils/includes.h"
287-#include <net/if.h>
288-#include <sys/ioctl.h>
289-#include <netpacket/packet.h>
290-
291-#include "utils/common.h"
292-#include "utils/eloop.h"
293-#include "common/ieee802_11_defs.h"
294-#include "hostapd.h"
295-#include "ap_config.h"
296-#include "ieee802_11.h"
297-#include "sta_info.h"
298-#include "iapp.h"
299-
300-
301-#define IAPP_MULTICAST "224.0.1.178"
302-#define IAPP_UDP_PORT 3517
303-#define IAPP_TCP_PORT 3517
304-
305-struct iapp_hdr {
306- u8 version;
307- u8 command;
308- be16 identifier;
309- be16 length;
310- /* followed by length-6 octets of data */
311-} __attribute__ ((packed));
312-
313-#define IAPP_VERSION 0
314-
315-enum IAPP_COMMAND {
316- IAPP_CMD_ADD_notify = 0,
317- IAPP_CMD_MOVE_notify = 1,
318- IAPP_CMD_MOVE_response = 2,
319- IAPP_CMD_Send_Security_Block = 3,
320- IAPP_CMD_ACK_Security_Block = 4,
321- IAPP_CMD_CACHE_notify = 5,
322- IAPP_CMD_CACHE_response = 6,
323-};
324-
325-
326-/* ADD-notify - multicast UDP on the local LAN */
327-struct iapp_add_notify {
328- u8 addr_len; /* ETH_ALEN */
329- u8 reserved;
330- u8 mac_addr[ETH_ALEN];
331- be16 seq_num;
332-} __attribute__ ((packed));
333-
334-
335-/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */
336-struct iapp_layer2_update {
337- u8 da[ETH_ALEN]; /* broadcast */
338- u8 sa[ETH_ALEN]; /* STA addr */
339- be16 len; /* 6 */
340- u8 dsap; /* null DSAP address */
341- u8 ssap; /* null SSAP address, CR=Response */
342- u8 control;
343- u8 xid_info[3];
344-} __attribute__ ((packed));
345-
346-
347-/* MOVE-notify - unicast TCP */
348-struct iapp_move_notify {
349- u8 addr_len; /* ETH_ALEN */
350- u8 reserved;
351- u8 mac_addr[ETH_ALEN];
352- u16 seq_num;
353- u16 ctx_block_len;
354- /* followed by ctx_block_len bytes */
355-} __attribute__ ((packed));
356-
357-
358-/* MOVE-response - unicast TCP */
359-struct iapp_move_response {
360- u8 addr_len; /* ETH_ALEN */
361- u8 status;
362- u8 mac_addr[ETH_ALEN];
363- u16 seq_num;
364- u16 ctx_block_len;
365- /* followed by ctx_block_len bytes */
366-} __attribute__ ((packed));
367-
368-enum {
369- IAPP_MOVE_SUCCESSFUL = 0,
370- IAPP_MOVE_DENIED = 1,
371- IAPP_MOVE_STALE_MOVE = 2,
372-};
373-
374-
375-/* CACHE-notify */
376-struct iapp_cache_notify {
377- u8 addr_len; /* ETH_ALEN */
378- u8 reserved;
379- u8 mac_addr[ETH_ALEN];
380- u16 seq_num;
381- u8 current_ap[ETH_ALEN];
382- u16 ctx_block_len;
383- /* ctx_block_len bytes of context block followed by 16-bit context
384- * timeout */
385-} __attribute__ ((packed));
386-
387-
388-/* CACHE-response - unicast TCP */
389-struct iapp_cache_response {
390- u8 addr_len; /* ETH_ALEN */
391- u8 status;
392- u8 mac_addr[ETH_ALEN];
393- u16 seq_num;
394-} __attribute__ ((packed));
395-
396-enum {
397- IAPP_CACHE_SUCCESSFUL = 0,
398- IAPP_CACHE_STALE_CACHE = 1,
399-};
400-
401-
402-/* Send-Security-Block - unicast TCP */
403-struct iapp_send_security_block {
404- u8 iv[8];
405- u16 sec_block_len;
406- /* followed by sec_block_len bytes of security block */
407-} __attribute__ ((packed));
408-
409-
410-/* ACK-Security-Block - unicast TCP */
411-struct iapp_ack_security_block {
412- u8 iv[8];
413- u8 new_ap_ack_authenticator[48];
414-} __attribute__ ((packed));
415-
416-
417-struct iapp_data {
418- struct hostapd_data *hapd;
419- u16 identifier; /* next IAPP identifier */
420- struct in_addr own, multicast;
421- int udp_sock;
422- int packet_sock;
423-};
424-
425-
426-static void iapp_send_add(struct iapp_data *iapp, u8 *mac_addr, u16 seq_num)
427-{
428- char buf[128];
429- struct iapp_hdr *hdr;
430- struct iapp_add_notify *add;
431- struct sockaddr_in addr;
432-
433- /* Send IAPP ADD-notify to remove possible association from other APs
434- */
435-
436- hdr = (struct iapp_hdr *) buf;
437- hdr->version = IAPP_VERSION;
438- hdr->command = IAPP_CMD_ADD_notify;
439- hdr->identifier = host_to_be16(iapp->identifier++);
440- hdr->length = host_to_be16(sizeof(*hdr) + sizeof(*add));
441-
442- add = (struct iapp_add_notify *) (hdr + 1);
443- add->addr_len = ETH_ALEN;
444- add->reserved = 0;
445- os_memcpy(add->mac_addr, mac_addr, ETH_ALEN);
446-
447- add->seq_num = host_to_be16(seq_num);
448-
449- os_memset(&addr, 0, sizeof(addr));
450- addr.sin_family = AF_INET;
451- addr.sin_addr.s_addr = iapp->multicast.s_addr;
452- addr.sin_port = htons(IAPP_UDP_PORT);
453- if (sendto(iapp->udp_sock, buf, (char *) (add + 1) - buf, 0,
454- (struct sockaddr *) &addr, sizeof(addr)) < 0)
455- wpa_printf(MSG_INFO, "sendto[IAPP-ADD]: %s", strerror(errno));
456-}
457-
458-
459-static void iapp_send_layer2_update(struct iapp_data *iapp, u8 *addr)
460-{
461- struct iapp_layer2_update msg;
462-
463- /* Send Level 2 Update Frame to update forwarding tables in layer 2
464- * bridge devices */
465-
466- /* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID)
467- * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */
468-
469- os_memset(msg.da, 0xff, ETH_ALEN);
470- os_memcpy(msg.sa, addr, ETH_ALEN);
471- msg.len = host_to_be16(6);
472- msg.dsap = 0; /* NULL DSAP address */
473- msg.ssap = 0x01; /* NULL SSAP address, CR Bit: Response */
474- msg.control = 0xaf; /* XID response lsb.1111F101.
475- * F=0 (no poll command; unsolicited frame) */
476- msg.xid_info[0] = 0x81; /* XID format identifier */
477- msg.xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */
478- msg.xid_info[2] = 1 << 1; /* XID sender's receive window size (RW)
479- * FIX: what is correct RW with 802.11? */
480-
481- if (send(iapp->packet_sock, &msg, sizeof(msg), 0) < 0)
482- wpa_printf(MSG_INFO, "send[L2 Update]: %s", strerror(errno));
483-}
484-
485-
486-/**
487- * iapp_new_station - IAPP processing for a new STA
488- * @iapp: IAPP data
489- * @sta: The associated station
490- */
491-void iapp_new_station(struct iapp_data *iapp, struct sta_info *sta)
492-{
493- u16 seq = 0; /* TODO */
494-
495- if (iapp == NULL)
496- return;
497-
498- /* IAPP-ADD.request(MAC Address, Sequence Number, Timeout) */
499- hostapd_logger(iapp->hapd, sta->addr, HOSTAPD_MODULE_IAPP,
500- HOSTAPD_LEVEL_DEBUG, "IAPP-ADD.request(seq=%d)", seq);
501- iapp_send_layer2_update(iapp, sta->addr);
502- iapp_send_add(iapp, sta->addr, seq);
503-
504- /* TODO: If this was reassociation:
505- * IAPP-MOVE.request(MAC Address, Sequence Number, Old AP,
506- * Context Block, Timeout)
507- * TODO: Send IAPP-MOVE to the old AP; Map Old AP BSSID to
508- * IP address */
509-}
510-
511-
512-static void iapp_process_add_notify(struct iapp_data *iapp,
513- struct sockaddr_in *from,
514- struct iapp_hdr *hdr, int len)
515-{
516- struct iapp_add_notify *add = (struct iapp_add_notify *) (hdr + 1);
517- struct sta_info *sta;
518-
519- if (len != sizeof(*add)) {
520- wpa_printf(MSG_INFO, "Invalid IAPP-ADD packet length %d (expected %lu)",
521- len, (unsigned long) sizeof(*add));
522- return;
523- }
524-
525- sta = ap_get_sta(iapp->hapd, add->mac_addr);
526-
527- /* IAPP-ADD.indication(MAC Address, Sequence Number) */
528- hostapd_logger(iapp->hapd, add->mac_addr, HOSTAPD_MODULE_IAPP,
529- HOSTAPD_LEVEL_INFO,
530- "Received IAPP ADD-notify (seq# %d) from %s:%d%s",
531- be_to_host16(add->seq_num),
532- inet_ntoa(from->sin_addr), ntohs(from->sin_port),
533- sta ? "" : " (STA not found)");
534-
535- if (!sta)
536- return;
537-
538- /* TODO: could use seq_num to try to determine whether last association
539- * to this AP is newer than the one advertised in IAPP-ADD. Although,
540- * this is not really a reliable verification. */
541-
542- hostapd_logger(iapp->hapd, add->mac_addr, HOSTAPD_MODULE_IAPP,
543- HOSTAPD_LEVEL_DEBUG,
544- "Removing STA due to IAPP ADD-notify");
545- ap_sta_disconnect(iapp->hapd, sta, NULL, 0);
546-}
547-
548-
549-/**
550- * iapp_receive_udp - Process IAPP UDP frames
551- * @sock: File descriptor for the socket
552- * @eloop_ctx: IAPP data (struct iapp_data *)
553- * @sock_ctx: Not used
554- */
555-static void iapp_receive_udp(int sock, void *eloop_ctx, void *sock_ctx)
556-{
557- struct iapp_data *iapp = eloop_ctx;
558- int len, hlen;
559- unsigned char buf[128];
560- struct sockaddr_in from;
561- socklen_t fromlen;
562- struct iapp_hdr *hdr;
563-
564- /* Handle incoming IAPP frames (over UDP/IP) */
565-
566- fromlen = sizeof(from);
567- len = recvfrom(iapp->udp_sock, buf, sizeof(buf), 0,
568- (struct sockaddr *) &from, &fromlen);
569- if (len < 0) {
570- wpa_printf(MSG_INFO, "iapp_receive_udp - recvfrom: %s",
571- strerror(errno));
572- return;
573- }
574-
575- if (from.sin_addr.s_addr == iapp->own.s_addr)
576- return; /* ignore own IAPP messages */
577-
578- hostapd_logger(iapp->hapd, NULL, HOSTAPD_MODULE_IAPP,
579- HOSTAPD_LEVEL_DEBUG,
580- "Received %d byte IAPP frame from %s%s\n",
581- len, inet_ntoa(from.sin_addr),
582- len < (int) sizeof(*hdr) ? " (too short)" : "");
583-
584- if (len < (int) sizeof(*hdr))
585- return;
586-
587- hdr = (struct iapp_hdr *) buf;
588- hlen = be_to_host16(hdr->length);
589- hostapd_logger(iapp->hapd, NULL, HOSTAPD_MODULE_IAPP,
590- HOSTAPD_LEVEL_DEBUG,
591- "RX: version=%d command=%d id=%d len=%d\n",
592- hdr->version, hdr->command,
593- be_to_host16(hdr->identifier), hlen);
594- if (hdr->version != IAPP_VERSION) {
595- wpa_printf(MSG_INFO, "Dropping IAPP frame with unknown version %d",
596- hdr->version);
597- return;
598- }
599- if (hlen > len) {
600- wpa_printf(MSG_INFO, "Underflow IAPP frame (hlen=%d len=%d)",
601- hlen, len);
602- return;
603- }
604- if (hlen < len) {
605- wpa_printf(MSG_INFO, "Ignoring %d extra bytes from IAPP frame",
606- len - hlen);
607- len = hlen;
608- }
609-
610- switch (hdr->command) {
611- case IAPP_CMD_ADD_notify:
612- iapp_process_add_notify(iapp, &from, hdr, len - sizeof(*hdr));
613- break;
614- case IAPP_CMD_MOVE_notify:
615- /* TODO: MOVE is using TCP; so move this to TCP handler once it
616- * is implemented.. */
617- /* IAPP-MOVE.indication(MAC Address, New BSSID,
618- * Sequence Number, AP Address, Context Block) */
619- /* TODO: process */
620- break;
621- default:
622- wpa_printf(MSG_INFO, "Unknown IAPP command %d", hdr->command);
623- break;
624- }
625-}
626-
627-
628-struct iapp_data * iapp_init(struct hostapd_data *hapd, const char *iface)
629-{
630- struct ifreq ifr;
631- struct sockaddr_ll addr;
632- int ifindex;
633- struct sockaddr_in *paddr, uaddr;
634- struct iapp_data *iapp;
635- struct ip_mreqn mreq;
636- int reuseaddr = 1;
637-
638- iapp = os_zalloc(sizeof(*iapp));
639- if (iapp == NULL)
640- return NULL;
641- iapp->hapd = hapd;
642- iapp->udp_sock = iapp->packet_sock = -1;
643-
644- /* TODO:
645- * open socket for sending and receiving IAPP frames over TCP
646- */
647-
648- iapp->udp_sock = socket(PF_INET, SOCK_DGRAM, 0);
649- if (iapp->udp_sock < 0) {
650- wpa_printf(MSG_INFO, "iapp_init - socket[PF_INET,SOCK_DGRAM]: %s",
651- strerror(errno));
652- iapp_deinit(iapp);
653- return NULL;
654- }
655-
656- os_memset(&ifr, 0, sizeof(ifr));
657- os_strlcpy(ifr.ifr_name, iface, sizeof(ifr.ifr_name));
658- if (ioctl(iapp->udp_sock, SIOCGIFINDEX, &ifr) != 0) {
659- wpa_printf(MSG_INFO, "iapp_init - ioctl(SIOCGIFINDEX): %s",
660- strerror(errno));
661- iapp_deinit(iapp);
662- return NULL;
663- }
664- ifindex = ifr.ifr_ifindex;
665-
666- if (ioctl(iapp->udp_sock, SIOCGIFADDR, &ifr) != 0) {
667- wpa_printf(MSG_INFO, "iapp_init - ioctl(SIOCGIFADDR): %s",
668- strerror(errno));
669- iapp_deinit(iapp);
670- return NULL;
671- }
672- paddr = (struct sockaddr_in *) &ifr.ifr_addr;
673- if (paddr->sin_family != AF_INET) {
674- wpa_printf(MSG_INFO, "IAPP: Invalid address family %i (SIOCGIFADDR)",
675- paddr->sin_family);
676- iapp_deinit(iapp);
677- return NULL;
678- }
679- iapp->own.s_addr = paddr->sin_addr.s_addr;
680-
681- if (ioctl(iapp->udp_sock, SIOCGIFBRDADDR, &ifr) != 0) {
682- wpa_printf(MSG_INFO, "iapp_init - ioctl(SIOCGIFBRDADDR): %s",
683- strerror(errno));
684- iapp_deinit(iapp);
685- return NULL;
686- }
687- paddr = (struct sockaddr_in *) &ifr.ifr_addr;
688- if (paddr->sin_family != AF_INET) {
689- wpa_printf(MSG_INFO, "Invalid address family %i (SIOCGIFBRDADDR)",
690- paddr->sin_family);
691- iapp_deinit(iapp);
692- return NULL;
693- }
694- inet_aton(IAPP_MULTICAST, &iapp->multicast);
695-
696- os_memset(&uaddr, 0, sizeof(uaddr));
697- uaddr.sin_family = AF_INET;
698- uaddr.sin_port = htons(IAPP_UDP_PORT);
699-
700- if (setsockopt(iapp->udp_sock, SOL_SOCKET, SO_REUSEADDR, &reuseaddr,
701- sizeof(reuseaddr)) < 0) {
702- wpa_printf(MSG_INFO,
703- "iapp_init - setsockopt[UDP,SO_REUSEADDR]: %s",
704- strerror(errno));
705- /*
706- * Ignore this and try to continue. This is fine for single
707- * BSS cases, but may fail if multiple BSSes enable IAPP.
708- */
709- }
710-
711- if (bind(iapp->udp_sock, (struct sockaddr *) &uaddr,
712- sizeof(uaddr)) < 0) {
713- wpa_printf(MSG_INFO, "iapp_init - bind[UDP]: %s",
714- strerror(errno));
715- iapp_deinit(iapp);
716- return NULL;
717- }
718-
719- os_memset(&mreq, 0, sizeof(mreq));
720- mreq.imr_multiaddr = iapp->multicast;
721- mreq.imr_address.s_addr = INADDR_ANY;
722- mreq.imr_ifindex = 0;
723- if (setsockopt(iapp->udp_sock, SOL_IP, IP_ADD_MEMBERSHIP, &mreq,
724- sizeof(mreq)) < 0) {
725- wpa_printf(MSG_INFO, "iapp_init - setsockopt[UDP,IP_ADD_MEMBERSHIP]: %s",
726- strerror(errno));
727- iapp_deinit(iapp);
728- return NULL;
729- }
730-
731- iapp->packet_sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
732- if (iapp->packet_sock < 0) {
733- wpa_printf(MSG_INFO, "iapp_init - socket[PF_PACKET,SOCK_RAW]: %s",
734- strerror(errno));
735- iapp_deinit(iapp);
736- return NULL;
737- }
738-
739- os_memset(&addr, 0, sizeof(addr));
740- addr.sll_family = AF_PACKET;
741- addr.sll_ifindex = ifindex;
742- if (bind(iapp->packet_sock, (struct sockaddr *) &addr,
743- sizeof(addr)) < 0) {
744- wpa_printf(MSG_INFO, "iapp_init - bind[PACKET]: %s",
745- strerror(errno));
746- iapp_deinit(iapp);
747- return NULL;
748- }
749-
750- if (eloop_register_read_sock(iapp->udp_sock, iapp_receive_udp,
751- iapp, NULL)) {
752- wpa_printf(MSG_INFO, "Could not register read socket for IAPP");
753- iapp_deinit(iapp);
754- return NULL;
755- }
756-
757- wpa_printf(MSG_INFO, "IEEE 802.11F (IAPP) using interface %s", iface);
758-
759- /* TODO: For levels 2 and 3: send RADIUS Initiate-Request, receive
760- * RADIUS Initiate-Accept or Initiate-Reject. IAPP port should actually
761- * be openned only after receiving Initiate-Accept. If Initiate-Reject
762- * is received, IAPP is not started. */
763-
764- return iapp;
765-}
766-
767-
768-void iapp_deinit(struct iapp_data *iapp)
769-{
770- struct ip_mreqn mreq;
771-
772- if (iapp == NULL)
773- return;
774-
775- if (iapp->udp_sock >= 0) {
776- os_memset(&mreq, 0, sizeof(mreq));
777- mreq.imr_multiaddr = iapp->multicast;
778- mreq.imr_address.s_addr = INADDR_ANY;
779- mreq.imr_ifindex = 0;
780- if (setsockopt(iapp->udp_sock, SOL_IP, IP_DROP_MEMBERSHIP,
781- &mreq, sizeof(mreq)) < 0) {
782- wpa_printf(MSG_INFO, "iapp_deinit - setsockopt[UDP,IP_DEL_MEMBERSHIP]: %s",
783- strerror(errno));
784- }
785-
786- eloop_unregister_read_sock(iapp->udp_sock);
787- close(iapp->udp_sock);
788- }
789- if (iapp->packet_sock >= 0) {
790- eloop_unregister_read_sock(iapp->packet_sock);
791- close(iapp->packet_sock);
792- }
793- os_free(iapp);
794-}
795diff --git a/src/ap/iapp.h b/src/ap/iapp.h
796deleted file mode 100644
797index c22118342..000000000
798--- a/src/ap/iapp.h
799+++ /dev/null
800@@ -1,39 +0,0 @@
801-/*
802- * hostapd / IEEE 802.11F-2003 Inter-Access Point Protocol (IAPP)
803- * Copyright (c) 2002-2005, Jouni Malinen <j@w1.fi>
804- *
805- * This software may be distributed under the terms of the BSD license.
806- * See README for more details.
807- */
808-
809-#ifndef IAPP_H
810-#define IAPP_H
811-
812-struct iapp_data;
813-
814-#ifdef CONFIG_IAPP
815-
816-void iapp_new_station(struct iapp_data *iapp, struct sta_info *sta);
817-struct iapp_data * iapp_init(struct hostapd_data *hapd, const char *iface);
818-void iapp_deinit(struct iapp_data *iapp);
819-
820-#else /* CONFIG_IAPP */
821-
822-static inline void iapp_new_station(struct iapp_data *iapp,
823- struct sta_info *sta)
824-{
825-}
826-
827-static inline struct iapp_data * iapp_init(struct hostapd_data *hapd,
828- const char *iface)
829-{
830- return NULL;
831-}
832-
833-static inline void iapp_deinit(struct iapp_data *iapp)
834-{
835-}
836-
837-#endif /* CONFIG_IAPP */
838-
839-#endif /* IAPP_H */
840diff --git a/src/utils/wpa_debug.h b/src/utils/wpa_debug.h
841index 1fe0b7db7..c94c4391f 100644
842--- a/src/utils/wpa_debug.h
843+++ b/src/utils/wpa_debug.h
844@@ -305,7 +305,6 @@ void hostapd_logger_register_cb(hostapd_logger_cb_func func);
845 #define HOSTAPD_MODULE_RADIUS 0x00000004
846 #define HOSTAPD_MODULE_WPA 0x00000008
847 #define HOSTAPD_MODULE_DRIVER 0x00000010
848-#define HOSTAPD_MODULE_IAPP 0x00000020
849 #define HOSTAPD_MODULE_MLME 0x00000040
850
851 enum hostapd_logger_level {
852--
8532.17.1
854
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch
deleted file mode 100644
index 54c405b539..0000000000
--- a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch
+++ /dev/null
@@ -1,43 +0,0 @@
1From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@codeaurora.org>
3Date: Mon, 9 Nov 2020 11:43:12 +0200
4Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
5 client
6
7Parsing and copying of WPS secondary device types list was verifying
8that the contents is not too long for the internal maximum in the case
9of WPS messages, but similar validation was missing from the case of P2P
10group information which encodes this information in a different
11attribute. This could result in writing beyond the memory area assigned
12for these entries and corrupting memory within an instance of struct
13p2p_device. This could result in invalid operations and unexpected
14behavior when trying to free pointers from that corrupted memory.
15
16CVE: CVE-2021-0326
17
18Upstream-Status: Backport
19
20Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
21Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
22Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
23Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
24---
25 src/p2p/p2p.c | 2 ++
26 1 file changed, 2 insertions(+)
27
28diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
29index 74b7b52ae..5cbfc217f 100644
30--- a/src/p2p/p2p.c
31+++ b/src/p2p/p2p.c
32@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
33 dev->info.config_methods = cli->config_methods;
34 os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
35 dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
36+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
37+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
38 os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
39 dev->info.wps_sec_dev_type_list_len);
40 }
41--
422.17.1
43
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch
deleted file mode 100644
index fedff76b18..0000000000
--- a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch
+++ /dev/null
@@ -1,54 +0,0 @@
1From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@codeaurora.org>
3Date: Tue, 8 Dec 2020 23:52:50 +0200
4Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
5
6p2p_add_device() may remove the oldest entry if there is no room in the
7peer table for a new peer. This would result in any pointer to that
8removed entry becoming stale. A corner case with an invalid PD Request
9frame could result in such a case ending up using (read+write) freed
10memory. This could only by triggered when the peer table has reached its
11maximum size and the PD Request frame is received from the P2P Device
12Address of the oldest remaining entry and the frame has incorrect P2P
13Device Address in the payload.
14
15Fix this by fetching the dev pointer again after having called
16p2p_add_device() so that the stale pointer cannot be used.
17
18CVE: CVE-2021-27803
19
20Upstream-Status: Backport
21
22Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
23Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
24---
25 src/p2p/p2p_pd.c | 12 +++++-------
26 1 file changed, 5 insertions(+), 7 deletions(-)
27
28diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
29index 3994ec03f..05fd59349 100644
30--- a/src/p2p/p2p_pd.c
31+++ b/src/p2p/p2p_pd.c
32@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
33 goto out;
34 }
35
36+ dev = p2p_get_device(p2p, sa);
37 if (!dev) {
38- dev = p2p_get_device(p2p, sa);
39- if (!dev) {
40- p2p_dbg(p2p,
41- "Provision Discovery device not found "
42- MACSTR, MAC2STR(sa));
43- goto out;
44- }
45+ p2p_dbg(p2p,
46+ "Provision Discovery device not found "
47+ MACSTR, MAC2STR(sa));
48+ goto out;
49 }
50 } else if (msg.wfd_subelems) {
51 wpabuf_free(dev->info.wfd_subelems);
52--
532.17.1
54
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch
deleted file mode 100644
index e2540fc26b..0000000000
--- a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch
+++ /dev/null
@@ -1,123 +0,0 @@
1From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <j@w1.fi>
3Date: Sat, 13 Mar 2021 18:19:31 +0200
4Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters
5
6The supported hash algorithms do not use AlgorithmIdentifier parameters.
7However, there are implementations that include NULL parameters in
8addition to ones that omit the parameters. Previous implementation did
9not check the parameters value at all which supported both these cases,
10but did not reject any other unexpected information.
11
12Use strict validation of digest algorithm parameters and reject any
13unexpected value when validating a signature. This is needed to prevent
14potential forging attacks.
15
16Signed-off-by: Jouni Malinen <j@w1.fi>
17
18Upstream-Status: Backport
19CVE: CVE-2021-30004
20
21Reference to upstream patch:
22[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15]
23
24Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
25---
26 src/tls/pkcs1.c | 21 +++++++++++++++++++++
27 src/tls/x509v3.c | 20 ++++++++++++++++++++
28 2 files changed, 41 insertions(+)
29
30diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
31index 141ac50..e09db07 100644
32--- a/src/tls/pkcs1.c
33+++ b/src/tls/pkcs1.c
34@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
35 os_free(decrypted);
36 return -1;
37 }
38+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo",
39+ hdr.payload, hdr.length);
40
41 pos = hdr.payload;
42 end = pos + hdr.length;
43@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
44 os_free(decrypted);
45 return -1;
46 }
47+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier",
48+ hdr.payload, hdr.length);
49 da_end = hdr.payload + hdr.length;
50
51 if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
52@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
53 os_free(decrypted);
54 return -1;
55 }
56+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters",
57+ next, da_end - next);
58+
59+ /*
60+ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
61+ * omit the parameters, but there are implementation that encode these
62+ * as a NULL element. Allow these two cases and reject anything else.
63+ */
64+ if (da_end > next &&
65+ (asn1_get_next(next, da_end - next, &hdr) < 0 ||
66+ !asn1_is_null(&hdr) ||
67+ hdr.payload + hdr.length != da_end)) {
68+ wpa_printf(MSG_DEBUG,
69+ "PKCS #1: Unexpected digest algorithm parameters");
70+ os_free(decrypted);
71+ return -1;
72+ }
73
74 if (!asn1_oid_equal(&oid, hash_alg)) {
75 char txt[100], txt2[100];
76diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
77index 1bd5aa0..bf2289f 100644
78--- a/src/tls/x509v3.c
79+++ b/src/tls/x509v3.c
80@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer,
81 os_free(data);
82 return -1;
83 }
84+ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length);
85
86 pos = hdr.payload;
87 end = pos + hdr.length;
88@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer,
89 os_free(data);
90 return -1;
91 }
92+ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier",
93+ hdr.payload, hdr.length);
94 da_end = hdr.payload + hdr.length;
95
96 if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
97@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer,
98 os_free(data);
99 return -1;
100 }
101+ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters",
102+ next, da_end - next);
103+
104+ /*
105+ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
106+ * omit the parameters, but there are implementation that encode these
107+ * as a NULL element. Allow these two cases and reject anything else.
108+ */
109+ if (da_end > next &&
110+ (asn1_get_next(next, da_end - next, &hdr) < 0 ||
111+ !asn1_is_null(&hdr) ||
112+ hdr.payload + hdr.length != da_end)) {
113+ wpa_printf(MSG_DEBUG,
114+ "X509: Unexpected digest algorithm parameters");
115+ os_free(data);
116+ return -1;
117+ }
118
119 if (x509_sha1_oid(&oid)) {
120 if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) {
121--
1222.17.1
123
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb
index 3356f45ca1..dbdc5c1bdf 100644
--- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb
@@ -2,7 +2,7 @@ SUMMARY = "User space daemon for extended IEEE 802.11 management"
2HOMEPAGE = "http://w1.fi/hostapd/" 2HOMEPAGE = "http://w1.fi/hostapd/"
3SECTION = "kernel/userland" 3SECTION = "kernel/userland"
4LICENSE = "BSD-3-Clause" 4LICENSE = "BSD-3-Clause"
5LIC_FILES_CHKSUM = "file://hostapd/README;md5=1ec986bec88070e2a59c68c95d763f89" 5LIC_FILES_CHKSUM = "file://hostapd/README;md5=c905478466c90f1cefc0df987c40e172"
6 6
7DEPENDS = "libnl openssl" 7DEPENDS = "libnl openssl"
8 8
@@ -11,16 +11,10 @@ SRC_URI = " \
11 file://defconfig \ 11 file://defconfig \
12 file://init \ 12 file://init \
13 file://hostapd.service \ 13 file://hostapd.service \
14 file://0001-Prepare-for-CVE-2021-30004.patch.patch \
15 file://CVE-2019-16275.patch \
16 file://CVE-2019-5061.patch \
17 file://CVE-2021-0326.patch \
18 file://CVE-2021-27803.patch \
19 file://CVE-2021-30004.patch \
20" 14"
21 15
22SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8" 16
23SRC_URI[sha256sum] = "881d7d6a90b2428479288d64233151448f8990ab4958e0ecaca7eeb3c9db2bd7" 17SRC_URI[sha256sum] = "206e7c799b678572c2e3d12030238784bc4a9f82323b0156b4c9466f1498915d"
24 18
25S = "${WORKDIR}/hostapd-${PV}" 19S = "${WORKDIR}/hostapd-${PV}"
26B = "${WORKDIR}/hostapd-${PV}/hostapd" 20B = "${WORKDIR}/hostapd-${PV}/hostapd"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-04-22 18:13:12 +0000