Fix CVE-2019-16275 (AP mode PMF disconnection protection bypass)
This commit is contained in:
John W. Linville
parent
51c18ab85b
commit
a5e2a251a7
@ -0,0 +1,73 @@
|
|||||||
|
From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jouni Malinen <j@w1.fi>
|
||||||
|
Date: Thu, 29 Aug 2019 11:52:04 +0300
|
||||||
|
Subject: [PATCH] AP: Silently ignore management frame from unexpected source
|
||||||
|
address
|
||||||
|
|
||||||
|
Do not process any received Management frames with unexpected/invalid SA
|
||||||
|
so that we do not add any state for unexpected STA addresses or end up
|
||||||
|
sending out frames to unexpected destination. This prevents unexpected
|
||||||
|
sequences where an unprotected frame might end up causing the AP to send
|
||||||
|
out a response to another device and that other device processing the
|
||||||
|
unexpected response.
|
||||||
|
|
||||||
|
In particular, this prevents some potential denial of service cases
|
||||||
|
where the unexpected response frame from the AP might result in a
|
||||||
|
connected station dropping its association.
|
||||||
|
|
||||||
|
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||||
|
---
|
||||||
|
src/ap/drv_callbacks.c | 13 +++++++++++++
|
||||||
|
src/ap/ieee802_11.c | 12 ++++++++++++
|
||||||
|
2 files changed, 25 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
|
||||||
|
index 31587685fe3b..34ca379edc3d 100644
|
||||||
|
--- a/src/ap/drv_callbacks.c
|
||||||
|
+++ b/src/ap/drv_callbacks.c
|
||||||
|
@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
|
||||||
|
"hostapd_notif_assoc: Skip event with no address");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (is_multicast_ether_addr(addr) ||
|
||||||
|
+ is_zero_ether_addr(addr) ||
|
||||||
|
+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
|
||||||
|
+ /* Do not process any frames with unexpected/invalid SA so that
|
||||||
|
+ * we do not add any state for unexpected STA addresses or end
|
||||||
|
+ * up sending out frames to unexpected destination. */
|
||||||
|
+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
|
||||||
|
+ " in received indication - ignore this indication silently",
|
||||||
|
+ __func__, MAC2STR(addr));
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
random_add_randomness(addr, ETH_ALEN);
|
||||||
|
|
||||||
|
hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
|
||||||
|
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
|
||||||
|
index c85a28db44b7..e7065372e158 100644
|
||||||
|
--- a/src/ap/ieee802_11.c
|
||||||
|
+++ b/src/ap/ieee802_11.c
|
||||||
|
@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
|
||||||
|
fc = le_to_host16(mgmt->frame_control);
|
||||||
|
stype = WLAN_FC_GET_STYPE(fc);
|
||||||
|
|
||||||
|
+ if (is_multicast_ether_addr(mgmt->sa) ||
|
||||||
|
+ is_zero_ether_addr(mgmt->sa) ||
|
||||||
|
+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
|
||||||
|
+ /* Do not process any frames with unexpected/invalid SA so that
|
||||||
|
+ * we do not add any state for unexpected STA addresses or end
|
||||||
|
+ * up sending out frames to unexpected destination. */
|
||||||
|
+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
|
||||||
|
+ " in received frame - ignore this frame silently",
|
||||||
|
+ MAC2STR(mgmt->sa));
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (stype == WLAN_FC_STYPE_BEACON) {
|
||||||
|
handle_beacon(hapd, mgmt, len, fi);
|
||||||
|
return 1;
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
||||||
10
hostapd.spec
10
hostapd.spec
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
Name: hostapd
|
Name: hostapd
|
||||||
Version: 2.9
|
Version: 2.9
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
|
Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
|
||||||
License: BSD
|
License: BSD
|
||||||
URL: http://w1.fi/hostapd
|
URL: http://w1.fi/hostapd
|
||||||
@ -13,6 +13,9 @@ Source2: %{name}.conf
|
|||||||
Source3: %{name}.sysconfig
|
Source3: %{name}.sysconfig
|
||||||
Source4: %{name}.init
|
Source4: %{name}.init
|
||||||
|
|
||||||
|
# https://w1.fi/security/2019-7/ap-mode-pmf-disconnection-protection-bypass.txt
|
||||||
|
Patch1: https://w1.fi/security/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
|
||||||
|
|
||||||
BuildRequires: libnl3-devel
|
BuildRequires: libnl3-devel
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
BuildRequires: perl-generators
|
BuildRequires: perl-generators
|
||||||
@ -58,6 +61,8 @@ Logwatch scripts for hostapd.
|
|||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
|
||||||
|
%patch1 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
cd hostapd
|
cd hostapd
|
||||||
cat defconfig | sed \
|
cat defconfig | sed \
|
||||||
@ -177,6 +182,9 @@ fi
|
|||||||
%{_sysconfdir}/logwatch/scripts/services/%{name}
|
%{_sysconfdir}/logwatch/scripts/services/%{name}
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Oct 30 2019 John W. Linville <linville@redhat.com> - 2.9-2
|
||||||
|
- Fix CVE-2019-16275 (AP mode PMF disconnection protection bypass)
|
||||||
|
|
||||||
* Fri Aug 09 2019 John W. Linville <linville@redhat.com> - 2.9-1
|
* Fri Aug 09 2019 John W. Linville <linville@redhat.com> - 2.9-1
|
||||||
- Update to version 2.9 from upstream
|
- Update to version 2.9 from upstream
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user