openwrt/package/network/services/hostapd/patches/801-SAE-Check-for-invalid-Rejected-Groups-element-length.patch

From 593a7c2f8c93edd6b552f2d42e28164464b4e6ff Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Tue, 9 Jul 2024 23:33:38 +0300
Subject: [PATCH] SAE: Check for invalid Rejected Groups element length
 explicitly on STA

Instead of practically ignoring an odd octet at the end of the element,
check for such invalid case explicitly. This is needed to avoid a
potential group downgrade attack.

Fixes: 444d76f74f65 ("SAE: Check that peer's rejected groups are not enabled")
Signed-off-by: Jouni Malinen <j@w1.fi>
---
 wpa_supplicant/sme.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -1596,14 +1596,21 @@ static int sme_sae_is_group_enabled(stru
 static int sme_check_sae_rejected_groups(struct wpa_supplicant *wpa_s,
 					 const struct wpabuf *groups)
 {
-	size_t i, count;
+	size_t i, count, len;
 	const u8 *pos;
 
 	if (!groups)
 		return 0;
 
 	pos = wpabuf_head(groups);
-	count = wpabuf_len(groups) / 2;
+	len = wpabuf_len(groups);
+	if (len & 1) {
+		wpa_printf(MSG_DEBUG,
+			   "SAE: Invalid length of the Rejected Groups element payload: %zu",
+			   len);
+		return 1;
+	}
+	count = len / 2;
 	for (i = 0; i < count; i++) {
 		int enabled;
 		u16 group;
hostapd: fix SAE H2E security vulnerability This patch backports fixes for a security vulnerability impacting the hostapd implementation of SAE H2E. As upgrading hostapd would require more testing, the second mitigation step which involves backporting several patches was adopted as outlined in the official advisory[1]. An explanation of the impact of the vulnerability is provided from the advisory[1]: This vulnerability allows the attacker to downgrade the negotiated group to another enabled group if both the AP and STA have enabled SAE H2E and multiple groups. It should be noted that the H2E option is not enabled by default and the attack is not applicable to the default option, i.e., hunting-and-pecking, since it does not have any downgrade protection for group negotiation. In addition, the default configuration for enabled SAE groups in hostapd is to enable only a single group, so the vulnerability is not applicable unless hostapd has been explicitly configured to enable more groups for SAE. [1]: https://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt Signed-off-by: Rany Hany <rany_hany@riseup.net> Link: https://github.com/openwrt/openwrt/pull/16043 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit db7f70fe6140e99ae709c7bf2a25eb983cb725ed) 2024-07-31 17:16:55 +00:00			`From 593a7c2f8c93edd6b552f2d42e28164464b4e6ff Mon Sep 17 00:00:00 2001`
			`From: Jouni Malinen <j@w1.fi>`
			`Date: Tue, 9 Jul 2024 23:33:38 +0300`
			`Subject: [PATCH] SAE: Check for invalid Rejected Groups element length`
			`explicitly on STA`

			`Instead of practically ignoring an odd octet at the end of the element,`
			`check for such invalid case explicitly. This is needed to avoid a`
			`potential group downgrade attack.`

			`Fixes: 444d76f74f65 ("SAE: Check that peer's rejected groups are not enabled")`
			`Signed-off-by: Jouni Malinen <j@w1.fi>`
			`---`
			`wpa_supplicant/sme.c \| 11 +++++++++--`
			`1 file changed, 9 insertions(+), 2 deletions(-)`

			`--- a/wpa_supplicant/sme.c`
			`+++ b/wpa_supplicant/sme.c`
			`@@ -1596,14 +1596,21 @@ static int sme_sae_is_group_enabled(stru`
			`static int sme_check_sae_rejected_groups(struct wpa_supplicant *wpa_s,`
			`const struct wpabuf *groups)`
			`{`
			`- size_t i, count;`
			`+ size_t i, count, len;`
			`const u8 *pos;`

			`if (!groups)`
			`return 0;`

			`pos = wpabuf_head(groups);`
			`- count = wpabuf_len(groups) / 2;`
			`+ len = wpabuf_len(groups);`
			`+ if (len & 1) {`
			`+ wpa_printf(MSG_DEBUG,`
			`+ "SAE: Invalid length of the Rejected Groups element payload: %zu",`
			`+ len);`
			`+ return 1;`
			`+ }`
			`+ count = len / 2;`
			`for (i = 0; i < count; i++) {`
			`int enabled;`
			`u16 group;`