diff options
| author | Felix Fietkau <nbd@openwrt.org> | 2016-01-10 17:03:37 +0000 |
|---|---|---|
| committer | Felix Fietkau <nbd@openwrt.org> | 2016-01-10 17:03:37 +0000 |
| commit | 6c40914c0c637ee27ab513e734ef63e5a532cdb1 (patch) | |
| tree | 6f122326eb20bcf29a07fb4b613cd007a724f20b /package/network/services/hostapd/patches/010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch | |
| parent | a960fcef292c805b1d7a8fe8a9f6995ca7f4931b (diff) | |
| download | mtk-20170518-6c40914c0c637ee27ab513e734ef63e5a532cdb1.zip mtk-20170518-6c40914c0c637ee27ab513e734ef63e5a532cdb1.tar.gz mtk-20170518-6c40914c0c637ee27ab513e734ef63e5a532cdb1.tar.bz2 | |
hostapd: fix post v2.4 security issues
- WPS: Fix HTTP chunked transfer encoding parser (CVE-2015-4141)
- EAP-pwd peer: Fix payload length validation for Commit and Confirm
(CVE-2015-4143)
- EAP-pwd server: Fix payload length validation for Commit and Confirm
(CVE-2015-4143)
- EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
(CVE-2015-4144, CVE-2015-4145)
- EAP-pwd server: Fix Total-Length parsing for fragment reassembly
(CVE-2015-4144, CVE-2015-4145)
- EAP-pwd peer: Fix asymmetric fragmentation behavior (CVE-2015-4146)
- NFC: Fix payload length validation in NDEF record parser (CVE-2015-8041)
- WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use
(CVE-2015-5310)
- EAP-pwd peer: Fix last fragment length validation (CVE-2015-5315)
- EAP-pwd server: Fix last fragment length validation (CVE-2015-5314)
- EAP-pwd peer: Fix error path for unexpected Confirm message (CVE-2015-5316)
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
SVN-Revision: 48185
Diffstat (limited to 'package/network/services/hostapd/patches/010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch')
| -rw-r--r-- | package/network/services/hostapd/patches/010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/package/network/services/hostapd/patches/010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch b/package/network/services/hostapd/patches/010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch new file mode 100644 index 0000000..00e5b7c --- /dev/null +++ b/package/network/services/hostapd/patches/010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch @@ -0,0 +1,32 @@ +From 6b12d93d2c7428a34bfd4b3813ba339ed57b698a Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sun, 25 Oct 2015 15:45:50 +0200 +Subject: [PATCH] WNM: Ignore Key Data in WNM Sleep Mode Response frame if no + PMF in use + +WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is +enabled. Verify that PMF is in use before using this field on station +side to avoid accepting unauthenticated key updates. (CVE-2015-5310) + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + wpa_supplicant/wnm_sta.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c +index 954de67..7d79499 100644 +--- a/wpa_supplicant/wnm_sta.c ++++ b/wpa_supplicant/wnm_sta.c +@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s, + end = ptr + key_len_total; + wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total); + ++ if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) { ++ wpa_msg(wpa_s, MSG_INFO, ++ "WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled"); ++ return; ++ } ++ + while (ptr + 1 < end) { + if (ptr + 2 + ptr[1] > end) { + wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element " |