| Andrew Geissler | 82c905d | 2020-04-13 13:39:40 -0500 | [diff] [blame] | 1 | From d86d66dc073bc21d3b12faf4112062ae00c1773f Mon Sep 17 00:00:00 2001 |
| 2 | From: Jouni Malinen <j@w1.fi> |
| 3 | Date: Thu, 29 Aug 2019 11:52:04 +0300 |
| 4 | Subject: AP: Silently ignore management frame from unexpected source |
| 5 | address |
| 6 | |
| 7 | Do not process any received Management frames with unexpected/invalid SA |
| 8 | so that we do not add any state for unexpected STA addresses or end up |
| 9 | sending out frames to unexpected destination. This prevents unexpected |
| 10 | sequences where an unprotected frame might end up causing the AP to send |
| 11 | out a response to another device and that other device processing the |
| 12 | unexpected response. |
| 13 | |
| 14 | In particular, this prevents some potential denial of service cases |
| 15 | where the unexpected response frame from the AP might result in a |
| 16 | connected station dropping its association. |
| 17 | |
| 18 | Upstream-Status: Accepted |
| 19 | CVE: CVE-2019-16275 |
| 20 | |
| 21 | Reference to upstream patch: |
| 22 | https://w1.fi/cgit/hostap/commit/?id=d86d66dc073bc21d3b12faf4112062ae00c1773f |
| 23 | |
| 24 | Signed-off-by: Jouni Malinen <j@w1.fi> |
| 25 | --- |
| 26 | src/ap/drv_callbacks.c | 13 +++++++++++++ |
| 27 | src/ap/ieee802_11.c | 12 ++++++++++++ |
| 28 | 2 files changed, 25 insertions(+) |
| 29 | |
| 30 | diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c |
| 31 | index 3158768..34ca379 100644 |
| 32 | --- a/src/ap/drv_callbacks.c |
| 33 | +++ b/src/ap/drv_callbacks.c |
| 34 | @@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, |
| 35 | "hostapd_notif_assoc: Skip event with no address"); |
| 36 | return -1; |
| 37 | } |
| 38 | + |
| 39 | + if (is_multicast_ether_addr(addr) || |
| 40 | + is_zero_ether_addr(addr) || |
| 41 | + os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { |
| 42 | + /* Do not process any frames with unexpected/invalid SA so that |
| 43 | + * we do not add any state for unexpected STA addresses or end |
| 44 | + * up sending out frames to unexpected destination. */ |
| 45 | + wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR |
| 46 | + " in received indication - ignore this indication silently", |
| 47 | + __func__, MAC2STR(addr)); |
| 48 | + return 0; |
| 49 | + } |
| 50 | + |
| 51 | random_add_randomness(addr, ETH_ALEN); |
| 52 | |
| 53 | hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, |
| 54 | diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c |
| 55 | index c85a28d..2816812 100644 |
| 56 | --- a/src/ap/ieee802_11.c |
| 57 | +++ b/src/ap/ieee802_11.c |
| 58 | @@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, |
| 59 | fc = le_to_host16(mgmt->frame_control); |
| 60 | stype = WLAN_FC_GET_STYPE(fc); |
| 61 | |
| 62 | + if (is_multicast_ether_addr(mgmt->sa) || |
| 63 | + is_zero_ether_addr(mgmt->sa) || |
| 64 | + os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { |
| 65 | + /* Do not process any frames with unexpected/invalid SA so that |
| 66 | + * we do not add any state for unexpected STA addresses or end |
| 67 | + * up sending out frames to unexpected destination. */ |
| 68 | + wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR |
| 69 | + " in received frame - ignore this frame silently", |
| 70 | + MAC2STR(mgmt->sa)); |
| 71 | + return 0; |
| 72 | + } |
| 73 | + |
| 74 | if (stype == WLAN_FC_STYPE_BEACON) { |
| 75 | handle_beacon(hapd, mgmt, len, fi); |
| 76 | return 1; |
| 77 | -- |
| 78 | 2.17.1 |
| 79 | |