CVS commit: src/external/bsd/wpa/dist/src/ap
Module Name:src Committed By: christos Date: Thu Sep 12 23:46:11 UTC 2019 Modified Files: src/external/bsd/wpa/dist/src/ap: drv_callbacks.c ieee802_11.c Log Message: [PATCH] AP: Silently ignore management frame from unexpected source address Do not process any received Management frames with unexpected/invalid SA so that we do not add any state for unexpected STA addresses or end up sending out frames to unexpected destination. This prevents unexpected sequences where an unprotected frame might end up causing the AP to send out a response to another device and that other device processing the unexpected response. In particular, this prevents some potential denial of service cases where the unexpected response frame from the AP might result in a connected station dropping its association. Signed-off-by: Jouni Malinen To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/external/bsd/wpa/dist/src/ap/drv_callbacks.c cvs rdiff -u -r1.3 -r1.4 src/external/bsd/wpa/dist/src/ap/ieee802_11.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/wpa/dist/src/ap
Module Name:src
Committed By: christos
Date: Thu Sep 12 23:46:11 UTC 2019
Modified Files:
src/external/bsd/wpa/dist/src/ap: drv_callbacks.c ieee802_11.c
Log Message:
[PATCH] AP: Silently ignore management frame from unexpected source address
Do not process any received Management frames with unexpected/invalid SA
so that we do not add any state for unexpected STA addresses or end up
sending out frames to unexpected destination. This prevents unexpected
sequences where an unprotected frame might end up causing the AP to send
out a response to another device and that other device processing the
unexpected response.
In particular, this prevents some potential denial of service cases
where the unexpected response frame from the AP might result in a
connected station dropping its association.
Signed-off-by: Jouni Malinen
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/external/bsd/wpa/dist/src/ap/drv_callbacks.c
cvs rdiff -u -r1.3 -r1.4 src/external/bsd/wpa/dist/src/ap/ieee802_11.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/wpa/dist/src/ap/drv_callbacks.c
diff -u src/external/bsd/wpa/dist/src/ap/drv_callbacks.c:1.4 src/external/bsd/wpa/dist/src/ap/drv_callbacks.c:1.5
--- src/external/bsd/wpa/dist/src/ap/drv_callbacks.c:1.4 Fri Jan 4 16:22:20 2019
+++ src/external/bsd/wpa/dist/src/ap/drv_callbacks.c Thu Sep 12 19:46:11 2019
@@ -129,6 +129,19 @@ int hostapd_notif_assoc(struct hostapd_d
"hostapd_notif_assoc: Skip event with no address");
return -1;
}
+
+ if (is_multicast_ether_addr(addr) ||
+ is_zero_ether_addr(addr) ||
+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
+ /* Do not process any frames with unexpected/invalid SA so that
+ * we do not add any state for unexpected STA addresses or end
+ * up sending out frames to unexpected destination. */
+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
+ " in received indication - ignore this indication silently",
+ __func__, MAC2STR(addr));
+ return 0;
+ }
+
random_add_randomness(addr, ETH_ALEN);
hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
Index: src/external/bsd/wpa/dist/src/ap/ieee802_11.c
diff -u src/external/bsd/wpa/dist/src/ap/ieee802_11.c:1.3 src/external/bsd/wpa/dist/src/ap/ieee802_11.c:1.4
--- src/external/bsd/wpa/dist/src/ap/ieee802_11.c:1.3 Fri Jan 4 16:22:20 2019
+++ src/external/bsd/wpa/dist/src/ap/ieee802_11.c Thu Sep 12 19:46:11 2019
@@ -3978,6 +3978,18 @@ int ieee802_11_mgmt(struct hostapd_data
fc = le_to_host16(mgmt->frame_control);
stype = WLAN_FC_GET_STYPE(fc);
+ if (is_multicast_ether_addr(mgmt->sa) ||
+ is_zero_ether_addr(mgmt->sa) ||
+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
+ /* Do not process any frames with unexpected/invalid SA so that
+ * we do not add any state for unexpected STA addresses or end
+ * up sending out frames to unexpected destination. */
+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
+ " in received frame - ignore this frame silently",
+ MAC2STR(mgmt->sa));
+ return 0;
+ }
+
if (stype == WLAN_FC_STYPE_BEACON) {
handle_beacon(hapd, mgmt, len, fi);
return 1;
CVS commit: src/external/bsd/wpa/dist/src/ap
Module Name:src
Committed By: christos
Date: Sat May 9 19:35:15 UTC 2015
Modified Files:
src/external/bsd/wpa/dist/src/ap: wmm.c
Log Message:
The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.
This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
XXX: pullup-7
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.4 -r1.2 src/external/bsd/wpa/dist/src/ap/wmm.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/wpa/dist/src/ap/wmm.c
diff -u src/external/bsd/wpa/dist/src/ap/wmm.c:1.1.1.4 src/external/bsd/wpa/dist/src/ap/wmm.c:1.2
--- src/external/bsd/wpa/dist/src/ap/wmm.c:1.1.1.4 Thu Oct 16 15:16:06 2014
+++ src/external/bsd/wpa/dist/src/ap/wmm.c Sat May 9 15:35:15 2015
@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_d
return;
}
+ if (left 0)
+ return; /* not a valid WMM Action frame */
+
/* extract the tspec info element */
if (ieee802_11_parse_elems(pos, left, elems, 1) == ParseFailed) {
hostapd_logger(hapd, mgmt-sa, HOSTAPD_MODULE_IEEE80211,
CVS commit: src/external/bsd/wpa/dist/src/ap
Module Name:src Committed By: christos Date: Sat Mar 7 22:31:24 UTC 2015 Modified Files: src/external/bsd/wpa/dist/src/ap: ap_drv_ops.c Log Message: prevent coredump from the distributed config file. XXX: pullup-7 To generate a diff of this commit: cvs rdiff -u -r1.1.1.4 -r1.2 src/external/bsd/wpa/dist/src/ap/ap_drv_ops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/wpa/dist/src/ap
Module Name:src
Committed By: christos
Date: Sat Mar 7 22:31:24 UTC 2015
Modified Files:
src/external/bsd/wpa/dist/src/ap: ap_drv_ops.c
Log Message:
prevent coredump from the distributed config file.
XXX: pullup-7
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.4 -r1.2 src/external/bsd/wpa/dist/src/ap/ap_drv_ops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/wpa/dist/src/ap/ap_drv_ops.c
diff -u src/external/bsd/wpa/dist/src/ap/ap_drv_ops.c:1.1.1.4 src/external/bsd/wpa/dist/src/ap/ap_drv_ops.c:1.2
--- src/external/bsd/wpa/dist/src/ap/ap_drv_ops.c:1.1.1.4 Thu Oct 16 15:16:05 2014
+++ src/external/bsd/wpa/dist/src/ap/ap_drv_ops.c Sat Mar 7 17:31:24 2015
@@ -569,7 +569,8 @@ int hostapd_set_freq(struct hostapd_data
{
struct hostapd_freq_params data;
- if (hostapd_set_freq_params(data, mode, freq, channel, ht_enabled,
+ if (hapd-iface-current_mode
+ hostapd_set_freq_params(data, mode, freq, channel, ht_enabled,
vht_enabled, sec_channel_offset,
vht_oper_chwidth,
center_segment0, center_segment1,
@@ -765,7 +766,8 @@ int hostapd_start_dfs_cac(struct hostapd
return -1;
}
- if (hostapd_set_freq_params(data, mode, freq, channel, ht_enabled,
+ if (iface-current_mode
+ hostapd_set_freq_params(data, mode, freq, channel, ht_enabled,
vht_enabled, sec_channel_offset,
vht_oper_chwidth, center_segment0,
center_segment1,
CVS commit: src/external/bsd/wpa/dist/src/ap
Module Name:src
Committed By: plunky
Date: Sun Feb 27 18:07:43 UTC 2011
Modified Files:
src/external/bsd/wpa/dist/src/ap: wpa_auth.c
Log Message:
avoid preprocessor directives in macro arguments
has been committed upstream at
http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=blobdiff;f=src/ap/wpa_auth.c;h=7ad60a23d999082a00e9be672d4b55a19c46a4bb;hp=13e8ec43895a67d6d825b5c2a199499232dbafcb;hb=8ce58ceb250f101ee66682a4149cc652a30a74da;hpb=73304dbf65c3da859b1c51e6be32457e9ec9932d
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.2 src/external/bsd/wpa/dist/src/ap/wpa_auth.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/wpa/dist/src/ap/wpa_auth.c
diff -u src/external/bsd/wpa/dist/src/ap/wpa_auth.c:1.1.1.1 src/external/bsd/wpa/dist/src/ap/wpa_auth.c:1.2
--- src/external/bsd/wpa/dist/src/ap/wpa_auth.c:1.1.1.1 Wed Aug 4 10:18:00 2010
+++ src/external/bsd/wpa/dist/src/ap/wpa_auth.c Sun Feb 27 18:07:42 2011
@@ -2327,19 +2327,21 @@
{
int len = 0, ret;
char pmkid_txt[PMKID_LEN * 2 + 1];
+#ifdef CONFIG_RSN_PREAUTH
+ const int preauth = 1;
+#else /* CONFIG_RSN_PREAUTH */
+ const int preauth = 0;
+#endif /* CONFIG_RSN_PREAUTH */
if (wpa_auth == NULL)
return len;
ret = os_snprintf(buf + len, buflen - len,
dot11RSNAOptionImplemented=TRUE\n
-#ifdef CONFIG_RSN_PREAUTH
- dot11RSNAPreauthenticationImplemented=TRUE\n
-#else /* CONFIG_RSN_PREAUTH */
- dot11RSNAPreauthenticationImplemented=FALSE\n
-#endif /* CONFIG_RSN_PREAUTH */
+ dot11RSNAPreauthenticationImplemented=%s\n
dot11RSNAEnabled=%s\n
dot11RSNAPreauthenticationEnabled=%s\n,
+ wpa_bool_txt(preauth),
wpa_bool_txt(wpa_auth-conf.wpa WPA_PROTO_RSN),
wpa_bool_txt(wpa_auth-conf.rsn_preauth));
if (ret 0 || (size_t) ret = buflen - len)
