mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-27 14:49:55 +00:00
df6a33a8d4
Bump to latest Git and refresh all patches in order to get fix for "UPnP SUBSCRIBE misbehavior in hostapd WPS AP" (CVE-2020-12695). General security vulnerability in the way the callback URLs in the UPnP SUBSCRIBE command are used were reported (VU#339275, CVE-2020-12695). Some of the described issues may be applicable to the use of UPnP in WPS AP mode functionality for supporting external registrars. Ref: https://w1.fi/security/2020-1/ Signed-off-by: Petr Štetiar <ynezz@true.cz>
125 lines
3.9 KiB
Diff
125 lines
3.9 KiB
Diff
From c05ace7510ead96e72b97ce47b33f7b5865d6d36 Mon Sep 17 00:00:00 2001
|
|
From: Peter Oh <peter.oh@bowerswilkins.com>
|
|
Date: Mon, 27 Aug 2018 14:28:38 -0700
|
|
Subject: [PATCH 1/7] mesh: use setup completion callback to complete mesh join
|
|
|
|
mesh join function is the last function to be called during
|
|
mesh join process, but it's been called a bit earlier than
|
|
it's supposed to be, so that some mesh parameter values
|
|
such as VHT capabilities not applied correct when mesh join
|
|
is in process.
|
|
Moreover current design of mesh join that is called directly
|
|
after mesh initialization isn't suitable for DFS channels to use,
|
|
since mesh join process should be paused until DFS CAC is
|
|
done and resumed after it's done.
|
|
The callback will be called by hostapd_setup_interface_complete_sync.
|
|
There is possiblity that completing mesh init fails, so add error
|
|
handle codes.
|
|
|
|
Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
|
|
Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
|
|
---
|
|
src/ap/hostapd.c | 11 ++++++++++-
|
|
wpa_supplicant/mesh.c | 13 +++++++------
|
|
2 files changed, 17 insertions(+), 7 deletions(-)
|
|
|
|
--- a/src/ap/hostapd.c
|
|
+++ b/src/ap/hostapd.c
|
|
@@ -434,6 +434,8 @@ static void hostapd_free_hapd_data(struc
|
|
#ifdef CONFIG_MESH
|
|
wpabuf_free(hapd->mesh_pending_auth);
|
|
hapd->mesh_pending_auth = NULL;
|
|
+ /* handling setup failure is already done */
|
|
+ hapd->setup_complete_cb = NULL;
|
|
#endif /* CONFIG_MESH */
|
|
|
|
hostapd_clean_rrm(hapd);
|
|
@@ -2156,6 +2158,13 @@ dfs_offload:
|
|
if (hapd->setup_complete_cb)
|
|
hapd->setup_complete_cb(hapd->setup_complete_cb_ctx);
|
|
|
|
+#ifdef CONFIG_MESH
|
|
+ if (delay_apply_cfg && !iface->mconf) {
|
|
+ wpa_printf(MSG_ERROR, "Error while completing mesh init");
|
|
+ goto fail;
|
|
+ }
|
|
+#endif /* CONFIG_MESH */
|
|
+
|
|
wpa_printf(MSG_DEBUG, "%s: Setup of interface done.",
|
|
iface->bss[0]->conf->iface);
|
|
if (iface->interfaces && iface->interfaces->terminate_on_error > 0)
|
|
@@ -2299,7 +2308,7 @@ int hostapd_setup_interface(struct hosta
|
|
ret = setup_interface(iface);
|
|
if (ret) {
|
|
wpa_printf(MSG_ERROR, "%s: Unable to setup interface.",
|
|
- iface->bss[0]->conf->iface);
|
|
+ iface->conf ? iface->conf->bss[0]->iface : "N/A");
|
|
return -1;
|
|
}
|
|
|
|
--- a/wpa_supplicant/mesh.c
|
|
+++ b/wpa_supplicant/mesh.c
|
|
@@ -194,8 +194,9 @@ static int wpas_mesh_init_rsn(struct wpa
|
|
}
|
|
|
|
|
|
-static int wpas_mesh_complete(struct wpa_supplicant *wpa_s)
|
|
+static void wpas_mesh_complete_cb(void *ctx)
|
|
{
|
|
+ struct wpa_supplicant *wpa_s = ctx;
|
|
struct hostapd_iface *ifmsh = wpa_s->ifmsh;
|
|
struct wpa_driver_mesh_join_params *params = wpa_s->mesh_params;
|
|
struct wpa_ssid *ssid = wpa_s->current_ssid;
|
|
@@ -204,7 +205,7 @@ static int wpas_mesh_complete(struct wpa
|
|
if (!params || !ssid || !ifmsh) {
|
|
wpa_printf(MSG_ERROR, "mesh: %s called without active mesh",
|
|
__func__);
|
|
- return -1;
|
|
+ return;
|
|
}
|
|
|
|
if (ifmsh->mconf->security != MESH_CONF_SEC_NONE &&
|
|
@@ -213,7 +214,7 @@ static int wpas_mesh_complete(struct wpa
|
|
"mesh: RSN initialization failed - deinit mesh");
|
|
wpa_supplicant_mesh_deinit(wpa_s);
|
|
wpa_drv_leave_mesh(wpa_s);
|
|
- return -1;
|
|
+ return;
|
|
}
|
|
|
|
if (ssid->key_mgmt & WPA_KEY_MGMT_SAE) {
|
|
@@ -239,8 +240,6 @@ static int wpas_mesh_complete(struct wpa
|
|
|
|
if (!ret)
|
|
wpa_supplicant_set_state(wpa_s, WPA_COMPLETED);
|
|
-
|
|
- return ret;
|
|
}
|
|
|
|
|
|
@@ -267,6 +266,7 @@ static int wpa_supplicant_mesh_init(stru
|
|
if (!ifmsh)
|
|
return -ENOMEM;
|
|
|
|
+ ifmsh->owner = wpa_s;
|
|
ifmsh->drv_flags = wpa_s->drv_flags;
|
|
ifmsh->drv_flags2 = wpa_s->drv_flags2;
|
|
ifmsh->num_bss = 1;
|
|
@@ -285,6 +285,8 @@ static int wpa_supplicant_mesh_init(stru
|
|
bss->drv_priv = wpa_s->drv_priv;
|
|
bss->iface = ifmsh;
|
|
bss->mesh_sta_free_cb = mesh_mpm_free_sta;
|
|
+ bss->setup_complete_cb = wpas_mesh_complete_cb;
|
|
+ bss->setup_complete_cb_ctx = wpa_s;
|
|
frequency = ssid->frequency;
|
|
if (frequency != freq->freq &&
|
|
frequency == freq->freq + freq->sec_channel_offset * 20) {
|
|
@@ -526,7 +528,6 @@ int wpa_supplicant_join_mesh(struct wpa_
|
|
goto out;
|
|
}
|
|
|
|
- ret = wpas_mesh_complete(wpa_s);
|
|
out:
|
|
return ret;
|
|
}
|