hostapd: Fix AP mode PMF disconnection protection bypass

This fixes
* CVE-2019-16275 AP mode PMF disconnection protection bypass
https://w1.fi/security/2019-7/ap-mode-pmf-disconnection-protection-bypass.txt

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit is contained in:
Hauke Mehrtens 2019-09-20 22:20:16 +02:00
parent 3819c1638a
commit a6981604b3
4 changed files with 72 additions and 6 deletions

View File

@ -0,0 +1,66 @@
From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Thu, 29 Aug 2019 11:52:04 +0300
Subject: [PATCH] AP: Silently ignore management frame from unexpected source
address
Do not process any received Management frames with unexpected/invalid SA
so that we do not add any state for unexpected STA addresses or end up
sending out frames to unexpected destination. This prevents unexpected
sequences where an unprotected frame might end up causing the AP to send
out a response to another device and that other device processing the
unexpected response.
In particular, this prevents some potential denial of service cases
where the unexpected response frame from the AP might result in a
connected station dropping its association.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/ap/drv_callbacks.c | 13 +++++++++++++
src/ap/ieee802_11.c | 12 ++++++++++++
2 files changed, 25 insertions(+)
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -129,6 +129,19 @@ int hostapd_notif_assoc(struct hostapd_d
"hostapd_notif_assoc: Skip event with no address");
return -1;
}
+
+ if (is_multicast_ether_addr(addr) ||
+ is_zero_ether_addr(addr) ||
+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
+ /* Do not process any frames with unexpected/invalid SA so that
+ * we do not add any state for unexpected STA addresses or end
+ * up sending out frames to unexpected destination. */
+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
+ " in received indication - ignore this indication silently",
+ __func__, MAC2STR(addr));
+ return 0;
+ }
+
random_add_randomness(addr, ETH_ALEN);
hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -3978,6 +3978,18 @@ int ieee802_11_mgmt(struct hostapd_data
fc = le_to_host16(mgmt->frame_control);
stype = WLAN_FC_GET_STYPE(fc);
+ if (is_multicast_ether_addr(mgmt->sa) ||
+ is_zero_ether_addr(mgmt->sa) ||
+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
+ /* Do not process any frames with unexpected/invalid SA so that
+ * we do not add any state for unexpected STA addresses or end
+ * up sending out frames to unexpected destination. */
+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
+ " in received frame - ignore this frame silently",
+ MAC2STR(mgmt->sa));
+ return 0;
+ }
+
if (stype == WLAN_FC_STYPE_BEACON) {
handle_beacon(hapd, mgmt, len, fi);
return 1;

View File

@ -178,7 +178,7 @@
/*
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -1527,8 +1527,8 @@ static void hostapd_event_wds_sta_interf
@@ -1540,8 +1540,8 @@ static void hostapd_event_wds_sta_interf
}
@ -189,7 +189,7 @@
{
struct hostapd_data *hapd = ctx;
#ifndef CONFIG_NO_STDOUT_DEBUG
@@ -1757,7 +1757,7 @@ void wpa_supplicant_event(void *ctx, enu
@@ -1770,7 +1770,7 @@ void wpa_supplicant_event(void *ctx, enu
}

View File

@ -191,7 +191,7 @@ Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
#ifdef CONFIG_P2P
if (sta && sta->p2p_ie && hapd->p2p_group) {
struct wpabuf *p2p_resp_ie;
@@ -4236,7 +4311,7 @@ static void handle_assoc_cb(struct hosta
@@ -4248,7 +4323,7 @@ static void handle_assoc_cb(struct hosta
sta->flags |= WLAN_STA_WDS;
}

View File

@ -193,7 +193,7 @@
sta = ap_get_sta(hapd, mgmt->sa);
if (sta == NULL) {
wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
@@ -4077,7 +4106,7 @@ int ieee802_11_mgmt(struct hostapd_data
@@ -4089,7 +4118,7 @@ int ieee802_11_mgmt(struct hostapd_data
if (stype == WLAN_FC_STYPE_PROBE_REQ) {
@ -202,7 +202,7 @@
return 1;
}
@@ -4097,17 +4126,17 @@ int ieee802_11_mgmt(struct hostapd_data
@@ -4109,17 +4138,17 @@ int ieee802_11_mgmt(struct hostapd_data
switch (stype) {
case WLAN_FC_STYPE_AUTH:
wpa_printf(MSG_DEBUG, "mgmt::auth");
@ -292,7 +292,7 @@
if (addr == NULL) {
/*
@@ -195,6 +199,12 @@ int hostapd_notif_assoc(struct hostapd_d
@@ -208,6 +212,12 @@ int hostapd_notif_assoc(struct hostapd_d
goto fail;
}