From 6c40914c0c637ee27ab513e734ef63e5a532cdb1 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@openwrt.org>
Date: Sun, 10 Jan 2016 17:03:37 +0000
Subject: hostapd: fix post v2.4 security issues

- WPS: Fix HTTP chunked transfer encoding parser (CVE-2015-4141)
- EAP-pwd peer: Fix payload length validation for Commit and Confirm
  (CVE-2015-4143)
- EAP-pwd server: Fix payload length validation for Commit and Confirm
  (CVE-2015-4143)
- EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
  (CVE-2015-4144, CVE-2015-4145)
- EAP-pwd server: Fix Total-Length parsing for fragment reassembly
  (CVE-2015-4144, CVE-2015-4145)
- EAP-pwd peer: Fix asymmetric fragmentation behavior (CVE-2015-4146)
- NFC: Fix payload length validation in NDEF record parser (CVE-2015-8041)
- WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use
  (CVE-2015-5310)
- EAP-pwd peer: Fix last fragment length validation (CVE-2015-5315)
- EAP-pwd server: Fix last fragment length validation (CVE-2015-5314)
- EAP-pwd peer: Fix error path for unexpected Confirm message (CVE-2015-5316)

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>

SVN-Revision: 48185
---
 ...Key-Data-in-WNM-Sleep-Mode-Response-frame.patch | 32 ++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 package/network/services/hostapd/patches/010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch

(limited to 'package/network/services/hostapd/patches/010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch')

diff --git a/package/network/services/hostapd/patches/010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch b/package/network/services/hostapd/patches/010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch
new file mode 100644
index 0000000..00e5b7c
--- /dev/null
+++ b/package/network/services/hostapd/patches/010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch
@@ -0,0 +1,32 @@
+From 6b12d93d2c7428a34bfd4b3813ba339ed57b698a Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 25 Oct 2015 15:45:50 +0200
+Subject: [PATCH] WNM: Ignore Key Data in WNM Sleep Mode Response frame if no
+ PMF in use
+
+WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is
+enabled. Verify that PMF is in use before using this field on station
+side to avoid accepting unauthenticated key updates. (CVE-2015-5310)
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ wpa_supplicant/wnm_sta.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
+index 954de67..7d79499 100644
+--- a/wpa_supplicant/wnm_sta.c
++++ b/wpa_supplicant/wnm_sta.c
+@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s,
+ 	end = ptr + key_len_total;
+ 	wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total);
+ 
++	if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) {
++		wpa_msg(wpa_s, MSG_INFO,
++			"WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled");
++		return;
++	}
++
+ 	while (ptr + 1 < end) {
+ 		if (ptr + 2 + ptr[1] > end) {
+ 			wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element "
-- 
cgit v1.1