main/hostapd: security fix (CVE-2019-16275)

ref #10799
author: Leonardo Arena <rnalrd@alpinelinux.org> 2019-09-17 12:37:51 +0000
committer: Leonardo Arena <rnalrd@alpinelinux.org> 2019-09-17 12:37:51 +0000
commit: 55443b474ec90b6d005d24bcaa7224721a8875a7 (patch)
tree: c5d48027691417d737688b1cd4257f53a461c3db
parent: 1c04cce7036cdb842535ee6ad5f944794fc04c74 (diff)
2 files changed, 78 insertions, 1 deletions
diff --git a/main/hostapd/APKBUILD b/main/hostapd/APKBUILD
index 2c979ac7296..37987ab5e14 100644
--- a/main/hostapd/APKBUILD
+++ b/main/hostapd/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=hostapd
 pkgver=2.8
-pkgrel=1
+pkgrel=2
 pkgdesc="daemon for wireless software access points"
 url="http://hostap.epitest.fi/hostapd/"
 arch="all"
@@ -14,6 +14,7 @@ patches="0001-SAE-Use-const_time_memcmp-for-pwd_value-prime-compar.patch
 	0004-SAE-Run-through-prf-result-processing-even-if-it-pri.patch
 	0005-EAP-pwd-Run-through-prf-result-processing-even-if-it.patch
 	0006-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch
+	CVE-2019-16275.patch
 "
 source="http://hostap.epitest.fi/releases/$pkgname-$pkgver.tar.gz
 	$patches
@@ -23,6 +24,8 @@ options="!check" #no testsuite
 builddir="$srcdir"/$pkgname-$pkgver/hostapd
 
 # secfixes:
+#   2.8-r2:
+#     - CVE-2019-16275
 #   2.8-r1:
 #     - CVE-2019-13377
 #   2.8-r0:
@@ -106,5 +109,6 @@ sha512sums="5a352517470912bcb87755a592238eac2d814a7089d4ba1ecb7969f172dbb746a4e9
 1fabc83a5e05ce3d09c89e37365d038bd0eec3a76683966ad172eac3c2c884dbc24fc6ca11c27a8f4582e886d0f1cde73bbede4484352b42a3f686d89d088fff  0004-SAE-Run-through-prf-result-processing-even-if-it-pri.patch
 bcae73930c35d441c5615970c305abb3dff293fdec16df50823e57419b22d1aac0e780970619e0c78b4482b7d07962bcf6162706a20e20f7b21a3a10f500eff1  0005-EAP-pwd-Run-through-prf-result-processing-even-if-it.patch
 4734a8ab8ba1e91fc9e3d729f34527c14c291df238b02adea5acc04b0361b41d4bffca2fb13a4f464e9f007fa624117af4f50d755cb41a3129b4868da91bdf9a  0006-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch
+63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38  CVE-2019-16275.patch
 b54b7c6aa17e5cb86a9b354a516eb2dbefb544df18471339c61d82776de447011a2ac290bea1e6c8beae4b6cebefafb8174683ea42fb773e9e8fe6c679f33ba3  hostapd.initd
 0882263bbd7c0b05bf51f51d66e11a23a0b8ca7da2a3b8a30166d2c5f044c0c134e6bccb1d02c9e81819ca8fb0c0fb55c7121a08fe7233ccaa73ff8ab9a238fe  hostapd.confd"
diff --git a/main/hostapd/CVE-2019-16275.patch b/main/hostapd/CVE-2019-16275.patch
new file mode 100644
index 00000000000..d764a9db016
--- /dev/null
+++ b/main/hostapd/CVE-2019-16275.patch
@@ -0,0 +1,73 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c    | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
++++ b/src/ap/drv_callbacks.c
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+ 			   "hostapd_notif_assoc: Skip event with no address");
+ 		return -1;
+ 	}
++
++	if (is_multicast_ether_addr(addr) ||
++	    is_zero_ether_addr(addr) ||
++	    os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
++		/* Do not process any frames with unexpected/invalid SA so that
++		 * we do not add any state for unexpected STA addresses or end
++		 * up sending out frames to unexpected destination. */
++		wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
++			   " in received indication - ignore this indication silently",
++			   __func__, MAC2STR(addr));
++		return 0;
++	}
++
+ 	random_add_randomness(addr, ETH_ALEN);
+ 
+ 	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+ 	fc = le_to_host16(mgmt->frame_control);
+ 	stype = WLAN_FC_GET_STYPE(fc);
+ 
++	if (is_multicast_ether_addr(mgmt->sa) ||
++	    is_zero_ether_addr(mgmt->sa) ||
++	    os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
++		/* Do not process any frames with unexpected/invalid SA so that
++		 * we do not add any state for unexpected STA addresses or end
++		 * up sending out frames to unexpected destination. */
++		wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
++			   " in received frame - ignore this frame silently",
++			   MAC2STR(mgmt->sa));
++		return 0;
++	}
++
+ 	if (stype == WLAN_FC_STYPE_BEACON) {
+ 		handle_beacon(hapd, mgmt, len, fi);
+ 		return 1;
+-- 
+2.20.1
+
author	Leonardo Arena <rnalrd@alpinelinux.org>	2019-09-17 12:37:51 +0000
committer	Leonardo Arena <rnalrd@alpinelinux.org>	2019-09-17 12:37:51 +0000
commit	55443b474ec90b6d005d24bcaa7224721a8875a7 (patch)
tree	c5d48027691417d737688b1cd4257f53a461c3db
parent	1c04cce7036cdb842535ee6ad5f944794fc04c74 (diff)