hostapd: fix post v2.4 security issues

[openwrt/svn-archive/archive.git] / package / network / services / hostapd / patches / 010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch

diff --git a/package/network/services/hostapd/patches/010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch b/package/network/services/hostapd/patches/010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch
new file mode 100644 (file)
index 0000000..00e5b7c
--- /dev/null
+++ b/package/network/services/hostapd/patches/010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch
@@ -0,0 +1,32 @@
+From 6b12d93d2c7428a34bfd4b3813ba339ed57b698a Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 25 Oct 2015 15:45:50 +0200
+Subject: [PATCH] WNM: Ignore Key Data in WNM Sleep Mode Response frame if no
+ PMF in use
+
+WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is
+enabled. Verify that PMF is in use before using this field on station
+side to avoid accepting unauthenticated key updates. (CVE-2015-5310)
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ wpa_supplicant/wnm_sta.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
+index 954de67..7d79499 100644
+--- a/wpa_supplicant/wnm_sta.c
++++ b/wpa_supplicant/wnm_sta.c
+@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s,
+       end = ptr + key_len_total;
+       wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total);
+ 
++      if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) {
++              wpa_msg(wpa_s, MSG_INFO,
++                      "WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled");
++              return;
++      }
++
+       while (ptr + 1 < end) {
+               if (ptr + 2 + ptr[1] > end) {
+                       wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element "