From 1c7d6584a7811b7785ae5c1e378f14b5ba0971cf Mon Sep 17 00:00:00 2001 From: takeshi_hoshina Date: Mon, 2 Nov 2020 11:07:33 +0900 Subject: basesystem-jj recipes --- .../hostapd/hostapd/CVE-2019-16275.patch | 79 ++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 external/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-16275.patch (limited to 'external/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-16275.patch') diff --git a/external/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-16275.patch b/external/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-16275.patch new file mode 100644 index 00000000..9cefd4f2 --- /dev/null +++ b/external/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-16275.patch @@ -0,0 +1,79 @@ +From d86d66dc073bc21d3b12faf4112062ae00c1773f Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Thu, 29 Aug 2019 11:52:04 +0300 +Subject: AP: Silently ignore management frame from unexpected source +address + +Do not process any received Management frames with unexpected/invalid SA +so that we do not add any state for unexpected STA addresses or end up +sending out frames to unexpected destination. This prevents unexpected +sequences where an unprotected frame might end up causing the AP to send +out a response to another device and that other device processing the +unexpected response. + +In particular, this prevents some potential denial of service cases +where the unexpected response frame from the AP might result in a +connected station dropping its association. + +Upstream-Status: Accepted +CVE: CVE-2019-16275 + +Reference to upstream patch: +https://w1.fi/cgit/hostap/commit/?id=d86d66dc073bc21d3b12faf4112062ae00c1773f + +Signed-off-by: Jouni Malinen +--- + src/ap/drv_callbacks.c | 13 +++++++++++++ + src/ap/ieee802_11.c | 12 ++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c +index 3158768..34ca379 100644 +--- a/src/ap/drv_callbacks.c ++++ b/src/ap/drv_callbacks.c +@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, + "hostapd_notif_assoc: Skip event with no address"); + return -1; + } ++ ++ if (is_multicast_ether_addr(addr) || ++ is_zero_ether_addr(addr) || ++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR ++ " in received indication - ignore this indication silently", ++ __func__, MAC2STR(addr)); ++ return 0; ++ } ++ + random_add_randomness(addr, ETH_ALEN); + + hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index c85a28d..2816812 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, + fc = le_to_host16(mgmt->frame_control); + stype = WLAN_FC_GET_STYPE(fc); + ++ if (is_multicast_ether_addr(mgmt->sa) || ++ is_zero_ether_addr(mgmt->sa) || ++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR ++ " in received frame - ignore this frame silently", ++ MAC2STR(mgmt->sa)); ++ return 0; ++ } ++ + if (stype == WLAN_FC_STYPE_BEACON) { + handle_beacon(hapd, mgmt, len, fi); + return 1; +-- +2.17.1 + -- cgit 1.2.3-korg