mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-11 23:42:57 +00:00
63c17142c8
Fixes:
- CERT case ID: VU#228519
- CVE-2017-13077
- CVE-2017-13078
- CVE-2017-13079
- CVE-2017-13080
- CVE-2017-13081
- CVE-2017-13082
- CVE-2017-13086
- CVE-2017-13087
- CVE-2017-13088
For more information see:
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
Backport of bbda81ce30
Signed-off-by: Felix Fietkau <nbd@nbd.name>
69 lines
2.1 KiB
Diff
69 lines
2.1 KiB
Diff
From: Jouni Malinen <j@w1.fi>
|
|
Date: Fri, 22 Sep 2017 12:06:37 +0300
|
|
Subject: [PATCH] FT: Do not allow multiple Reassociation Response frames
|
|
|
|
The driver is expected to not report a second association event without
|
|
the station having explicitly request a new association. As such, this
|
|
case should not be reachable. However, since reconfiguring the same
|
|
pairwise or group keys to the driver could result in nonce reuse issues,
|
|
be extra careful here and do an additional state check to avoid this
|
|
even if the local driver ends up somehow accepting an unexpected
|
|
Reassociation Response frame.
|
|
|
|
Signed-off-by: Jouni Malinen <j@w1.fi>
|
|
---
|
|
|
|
--- a/src/rsn_supp/wpa.c
|
|
+++ b/src/rsn_supp/wpa.c
|
|
@@ -2568,6 +2568,9 @@ void wpa_sm_notify_assoc(struct wpa_sm *
|
|
#ifdef CONFIG_TDLS
|
|
wpa_tdls_assoc(sm);
|
|
#endif /* CONFIG_TDLS */
|
|
+#ifdef CONFIG_IEEE80211R
|
|
+ sm->ft_reassoc_completed = 0;
|
|
+#endif /* CONFIG_IEEE80211R */
|
|
|
|
#ifdef CONFIG_P2P
|
|
os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
|
|
--- a/src/rsn_supp/wpa_ft.c
|
|
+++ b/src/rsn_supp/wpa_ft.c
|
|
@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wp
|
|
u16 capab;
|
|
|
|
sm->ft_completed = 0;
|
|
+ sm->ft_reassoc_completed = 0;
|
|
|
|
buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
|
|
2 + sm->r0kh_id_len + ric_ies_len + 100;
|
|
@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct
|
|
return -1;
|
|
}
|
|
|
|
+ if (sm->ft_reassoc_completed) {
|
|
+ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
|
|
wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
|
|
return -1;
|
|
@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct
|
|
return -1;
|
|
}
|
|
|
|
+ sm->ft_reassoc_completed = 1;
|
|
+
|
|
if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
|
|
return -1;
|
|
|
|
--- a/src/rsn_supp/wpa_i.h
|
|
+++ b/src/rsn_supp/wpa_i.h
|
|
@@ -128,6 +128,7 @@ struct wpa_sm {
|
|
size_t r0kh_id_len;
|
|
u8 r1kh_id[FT_R1KH_ID_LEN];
|
|
int ft_completed;
|
|
+ int ft_reassoc_completed;
|
|
int over_the_ds_in_progress;
|
|
u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
|
|
int set_ptk_after_assoc;
|