From b38e3feeab3ad2e4aa95d1b5a1cd5863185280c0 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Tue, 17 Sep 2019 14:15:45 -0500 Subject: user/wpa_supplicant: patch CVE-2019-16275 --- user/wpa_supplicant/APKBUILD | 6 ++- user/wpa_supplicant/CVE-2019-16275.patch | 73 ++++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 user/wpa_supplicant/CVE-2019-16275.patch (limited to 'user') diff --git a/user/wpa_supplicant/APKBUILD b/user/wpa_supplicant/APKBUILD index 5d1a35b4e..dbd22b8c7 100644 --- a/user/wpa_supplicant/APKBUILD +++ b/user/wpa_supplicant/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox pkgname=wpa_supplicant pkgver=2.9 -pkgrel=0 +pkgrel=1 pkgdesc="Utility providing key negotiation for WPA wireless networks" url="https://w1.fi/wpa_supplicant/" arch="all" @@ -17,6 +17,7 @@ source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz wpa_supplicant.conf dbus.patch eloop.patch + CVE-2019-16275.patch config wpa_cli.sh" @@ -32,6 +33,8 @@ source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz # - CVE-2017-13086 # - CVE-2017-13087 # - CVE-2017-13088 +# 2.9-r1: +# - CVE-2019-16275 prepare() { default_prepare @@ -104,5 +107,6 @@ sha512sums="37a33f22cab9d27084fbef29856eaea0f692ff339c5b38bd32402dccf293cb849afd f8b224b6c5a8adf378d8224beb49f2a99817d303f7e6a724943ecb3313ae85ce0fdd8291a20c95563470681ebf5d991ffa31094b9171e470e9690b38bba25738 wpa_supplicant.conf dac56bc505a51167042ebe548f0e81a20a5578f753af9bb7ec3335a542d799c6e8739681ef7c8f7747a9bc954f8aa6f1a147250eacba17fd7fff80c4e53638ed dbus.patch 2be055dd1f7da5a3d8e79c2f2c0220ddd31df309452da18f290144d2112d6dbde0fc633bb2ad02c386a39d7785323acaf5f70e5969995a1e8303a094eb5fe232 eloop.patch +63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38 CVE-2019-16275.patch 221660fa0350442a7d8371686b2118861052a4613fb352b7f80079e3750b82f4e48efc378b9d617455007d1106552b695fdca506a3c338283986641f3848b202 config 45d3e70c47d0f7d6dc6730853af8cbcb40ed0713ee7b1069698f5a635939f273f66e72d4221e064c3c71a92154cf07841c8c0d4fc14d796dbb6fe0d92776ee2b wpa_cli.sh" diff --git a/user/wpa_supplicant/CVE-2019-16275.patch b/user/wpa_supplicant/CVE-2019-16275.patch new file mode 100644 index 000000000..d764a9db0 --- /dev/null +++ b/user/wpa_supplicant/CVE-2019-16275.patch @@ -0,0 +1,73 @@ +From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Thu, 29 Aug 2019 11:52:04 +0300 +Subject: [PATCH] AP: Silently ignore management frame from unexpected source + address + +Do not process any received Management frames with unexpected/invalid SA +so that we do not add any state for unexpected STA addresses or end up +sending out frames to unexpected destination. This prevents unexpected +sequences where an unprotected frame might end up causing the AP to send +out a response to another device and that other device processing the +unexpected response. + +In particular, this prevents some potential denial of service cases +where the unexpected response frame from the AP might result in a +connected station dropping its association. + +Signed-off-by: Jouni Malinen +--- + src/ap/drv_callbacks.c | 13 +++++++++++++ + src/ap/ieee802_11.c | 12 ++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c +index 31587685fe3b..34ca379edc3d 100644 +--- a/src/ap/drv_callbacks.c ++++ b/src/ap/drv_callbacks.c +@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, + "hostapd_notif_assoc: Skip event with no address"); + return -1; + } ++ ++ if (is_multicast_ether_addr(addr) || ++ is_zero_ether_addr(addr) || ++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR ++ " in received indication - ignore this indication silently", ++ __func__, MAC2STR(addr)); ++ return 0; ++ } ++ + random_add_randomness(addr, ETH_ALEN); + + hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index c85a28db44b7..e7065372e158 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, + fc = le_to_host16(mgmt->frame_control); + stype = WLAN_FC_GET_STYPE(fc); + ++ if (is_multicast_ether_addr(mgmt->sa) || ++ is_zero_ether_addr(mgmt->sa) || ++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR ++ " in received frame - ignore this frame silently", ++ MAC2STR(mgmt->sa)); ++ return 0; ++ } ++ + if (stype == WLAN_FC_STYPE_BEACON) { + handle_beacon(hapd, mgmt, len, fi); + return 1; +-- +2.20.1 + -- cgit v1.2.3-60-g2f50