summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2020-01-17 17:14:21 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-01-28 11:15:01 (GMT)
commiteb25d2fc66d6593a0e4807a7e6b812db5dc7d204 (patch)
tree091c2590d95711a84c76f55c9c68ed8b1576ef28
parent441f31d02f049d7519071f3e2175b91e4b59237d (diff)
downloadpoky-eb25d2fc66d6593a0e4807a7e6b812db5dc7d204.tar.gz
wpa-supplicant: fix CVE-2019-16275
(From OE-Core rev: 4b764c25d7396cba41c28c66a78a7a8f0ea3a5be) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch82
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb1
2 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
new file mode 100644
index 0000000..7b0713c
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
@@ -0,0 +1,82 @@
1hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication
2of disconnection in certain situations because source address validation is
3mishandled. This is a denial of service that should have been prevented by PMF
4(aka management frame protection). The attacker must send a crafted 802.11 frame
5from a location that is within the 802.11 communications range.
6
7CVE: CVE-2019-16275
8Upstream-Status: Backport
9Signed-off-by: Ross Burton <ross.burton@intel.com>
10
11From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
12From: Jouni Malinen <j@w1.fi>
13Date: Thu, 29 Aug 2019 11:52:04 +0300
14Subject: [PATCH] AP: Silently ignore management frame from unexpected source
15 address
16
17Do not process any received Management frames with unexpected/invalid SA
18so that we do not add any state for unexpected STA addresses or end up
19sending out frames to unexpected destination. This prevents unexpected
20sequences where an unprotected frame might end up causing the AP to send
21out a response to another device and that other device processing the
22unexpected response.
23
24In particular, this prevents some potential denial of service cases
25where the unexpected response frame from the AP might result in a
26connected station dropping its association.
27
28Signed-off-by: Jouni Malinen <j@w1.fi>
29---
30 src/ap/drv_callbacks.c | 13 +++++++++++++
31 src/ap/ieee802_11.c | 12 ++++++++++++
32 2 files changed, 25 insertions(+)
33
34diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
35index 31587685fe3b..34ca379edc3d 100644
36--- a/src/ap/drv_callbacks.c
37+++ b/src/ap/drv_callbacks.c
38@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
39 "hostapd_notif_assoc: Skip event with no address");
40 return -1;
41 }
42+
43+ if (is_multicast_ether_addr(addr) ||
44+ is_zero_ether_addr(addr) ||
45+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
46+ /* Do not process any frames with unexpected/invalid SA so that
47+ * we do not add any state for unexpected STA addresses or end
48+ * up sending out frames to unexpected destination. */
49+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
50+ " in received indication - ignore this indication silently",
51+ __func__, MAC2STR(addr));
52+ return 0;
53+ }
54+
55 random_add_randomness(addr, ETH_ALEN);
56
57 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
58diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
59index c85a28db44b7..e7065372e158 100644
60--- a/src/ap/ieee802_11.c
61+++ b/src/ap/ieee802_11.c
62@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
63 fc = le_to_host16(mgmt->frame_control);
64 stype = WLAN_FC_GET_STYPE(fc);
65
66+ if (is_multicast_ether_addr(mgmt->sa) ||
67+ is_zero_ether_addr(mgmt->sa) ||
68+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
69+ /* Do not process any frames with unexpected/invalid SA so that
70+ * we do not add any state for unexpected STA addresses or end
71+ * up sending out frames to unexpected destination. */
72+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
73+ " in received frame - ignore this frame silently",
74+ MAC2STR(mgmt->sa));
75+ return 0;
76+ }
77+
78 if (stype == WLAN_FC_STYPE_BEACON) {
79 handle_beacon(hapd, mgmt, len, fi);
80 return 1;
81--
822.20.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb
index 277bbae..542bbf4 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.7.bb
@@ -41,6 +41,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
41 file://0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch \ 41 file://0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch \
42 file://0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch \ 42 file://0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch \
43 file://0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch \ 43 file://0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch \
44 file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \
44 " 45 "
45SRC_URI[md5sum] = "a68538fb62766f40f890125026c42c10" 46SRC_URI[md5sum] = "a68538fb62766f40f890125026c42c10"
46SRC_URI[sha256sum] = "76ea6b06b7a2ea8e6d9eb1a9166166f1656e6d48c7508914f592100c95c73074" 47SRC_URI[sha256sum] = "76ea6b06b7a2ea8e6d9eb1a9166166f1656e6d48c7508914f592100c95c73074"