summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity
diff options
context:
space:
mode:
authorPeter Marko <peter.marko@siemens.com>2024-09-29 14:57:10 +0200
committerSteve Sakoman <steve@sakoman.com>2024-10-07 05:43:22 -0700
commit18329f8b1cf0dbabb8837e48ef91257389813e21 (patch)
tree3a57430e7288a50adff87d3208691d5d29aaf804 /meta/recipes-connectivity
parent27848b47b86cbdbe342b4f663b949aa43710071d (diff)
downloadpoky-18329f8b1cf0dbabb8837e48ef91257389813e21.tar.gz
wpa-supplicant: Patch security advisory 2024-2
Pick patches according to http://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt SAE H2E and incomplete downgrade protection for group negotiation (From OE-Core rev: 58b8ad7e33f47f06409be84430a8c2a22b4dd92f) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch52
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch50
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch38
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb3
4 files changed, 143 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
new file mode 100644
index 0000000000..5780f27f8b
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
@@ -0,0 +1,52 @@
1From 364c2da8741f0979dae497551e70b94c0e6c8636 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <j@w1.fi>
3Date: Sun, 7 Jul 2024 11:46:49 +0300
4Subject: [PATCH 1/3] SAE: Check for invalid Rejected Groups element length
5 explicitly
6
7Instead of practically ignoring an odd octet at the end of the element,
8check for such invalid case explicitly. This is needed to avoid a
9potential group downgrade attack.
10
11Signed-off-by: Jouni Malinen <j@w1.fi>
12
13CVE: CVE-2024-3596
14Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=364c2da8741f0979dae497551e70b94c0e6c8636]
15Signed-off-by: Peter Marko <peter.marko@siemens.com>
16---
17 src/ap/ieee802_11.c | 12 ++++++++++--
18 1 file changed, 10 insertions(+), 2 deletions(-)
19
20diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
21index db4104928..1a62e30cc 100644
22--- a/src/ap/ieee802_11.c
23+++ b/src/ap/ieee802_11.c
24@@ -1258,7 +1258,7 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
25 struct sae_data *sae)
26 {
27 const struct wpabuf *groups;
28- size_t i, count;
29+ size_t i, count, len;
30 const u8 *pos;
31
32 if (!sae->tmp)
33@@ -1268,7 +1268,15 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
34 return 0;
35
36 pos = wpabuf_head(groups);
37- count = wpabuf_len(groups) / 2;
38+ len = wpabuf_len(groups);
39+ if (len & 1) {
40+ wpa_printf(MSG_DEBUG,
41+ "SAE: Invalid length of the Rejected Groups element payload: %zu",
42+ len);
43+ return 1;
44+ }
45+
46+ count = len / 2;
47 for (i = 0; i < count; i++) {
48 int enabled;
49 u16 group;
50--
512.30.2
52
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
new file mode 100644
index 0000000000..3e96ae9e2e
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
@@ -0,0 +1,50 @@
1From 593a7c2f8c93edd6b552f2d42e28164464b4e6ff Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <j@w1.fi>
3Date: Tue, 9 Jul 2024 23:33:38 +0300
4Subject: [PATCH 2/3] SAE: Check for invalid Rejected Groups element length
5 explicitly on STA
6
7Instead of practically ignoring an odd octet at the end of the element,
8check for such invalid case explicitly. This is needed to avoid a
9potential group downgrade attack.
10
11Fixes: 444d76f74f65 ("SAE: Check that peer's rejected groups are not enabled")
12Signed-off-by: Jouni Malinen <j@w1.fi>
13
14Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=593a7c2f8c93edd6b552f2d42e28164464b4e6ff]
15Signed-off-by: Peter Marko <peter.marko@siemens.com>
16---
17 wpa_supplicant/sme.c | 11 +++++++++--
18 1 file changed, 9 insertions(+), 2 deletions(-)
19
20diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
21index 7f43216c6..c7289f6a8 100644
22--- a/wpa_supplicant/sme.c
23+++ b/wpa_supplicant/sme.c
24@@ -1222,14 +1222,21 @@ static int sme_sae_is_group_enabled(struct wpa_supplicant *wpa_s, int group)
25 static int sme_check_sae_rejected_groups(struct wpa_supplicant *wpa_s,
26 const struct wpabuf *groups)
27 {
28- size_t i, count;
29+ size_t i, count, len;
30 const u8 *pos;
31
32 if (!groups)
33 return 0;
34
35 pos = wpabuf_head(groups);
36- count = wpabuf_len(groups) / 2;
37+ len = wpabuf_len(groups);
38+ if (len & 1) {
39+ wpa_printf(MSG_DEBUG,
40+ "SAE: Invalid length of the Rejected Groups element payload: %zu",
41+ len);
42+ return 1;
43+ }
44+ count = len / 2;
45 for (i = 0; i < count; i++) {
46 int enabled;
47 u16 group;
48--
492.30.2
50
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch
new file mode 100644
index 0000000000..5e9e8bc01d
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch
@@ -0,0 +1,38 @@
1From 9716bf1160beb677e965d9e6475d6c9e162e8374 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <j@w1.fi>
3Date: Tue, 9 Jul 2024 23:34:34 +0300
4Subject: [PATCH 3/3] SAE: Reject invalid Rejected Groups element in the parser
5
6There is no need to depend on all uses (i.e., both hostapd and
7wpa_supplicant) to verify that the length of the Rejected Groups field
8in the Rejected Groups element is valid (i.e., a multiple of two octets)
9since the common parser can reject the message when detecting this.
10
11Signed-off-by: Jouni Malinen <j@w1.fi>
12
13Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=9716bf1160beb677e965d9e6475d6c9e162e8374]
14Signed-off-by: Peter Marko <peter.marko@siemens.com>
15---
16 src/common/sae.c | 6 ++++++
17 1 file changed, 6 insertions(+)
18
19diff --git a/src/common/sae.c b/src/common/sae.c
20index c0f154e91..620bdf753 100644
21--- a/src/common/sae.c
22+++ b/src/common/sae.c
23@@ -2076,6 +2076,12 @@ static int sae_parse_rejected_groups(struct sae_data *sae,
24 return WLAN_STATUS_UNSPECIFIED_FAILURE;
25 epos++; /* skip ext ID */
26 len--;
27+ if (len & 1) {
28+ wpa_printf(MSG_DEBUG,
29+ "SAE: Invalid length of the Rejected Groups element payload: %u",
30+ len);
31+ return WLAN_STATUS_UNSPECIFIED_FAILURE;
32+ }
33
34 wpabuf_free(sae->tmp->peer_rejected_groups);
35 sae->tmp->peer_rejected_groups = wpabuf_alloc(len);
36--
372.30.2
38
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
index f5e9dce17c..459039d01e 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
@@ -35,6 +35,9 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
35 file://CVE-2024-3596_06.patch \ 35 file://CVE-2024-3596_06.patch \
36 file://CVE-2024-3596_07.patch \ 36 file://CVE-2024-3596_07.patch \
37 file://CVE-2024-3596_08.patch \ 37 file://CVE-2024-3596_08.patch \
38 file://0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch \
39 file://0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch \
40 file://0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch \
38 " 41 "
39SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f" 42SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f"
40 43