On Fri, May 01, 2020 at 05:25:19PM +0100, Adam D. Barratt wrote: > On Sun, 2020-02-02 at 17:38 +0100, Cyril Brulebois wrote: > > Trying to build the binaries to get that tested in a d-i environment, > > I > > ended up with a build failure: > [...] > > > > ../src/ap/drv_callbacks.o: In function `hostapd_notif_assoc': > > > ./wpa_supplicant/../src/ap/drv_callbacks.c:66: undefined reference > > > to `is_multicast_ether_addr' > > > ../src/ap/ieee802_11.o: In function `ieee802_11_mgmt': > > > ./wpa_supplicant/../src/ap/ieee802_11.c:2213: undefined reference > > > to `is_multicast_ether_addr' > > > collect2: error: ld returned 1 exit status > > > Makefile:1621: recipe for target 'wpa_supplicant' failed
> Andrej? Is there likely to be an updated patch for this soon, or should > we reject the current upload and close this request? Oh, I somehow forgot about it. Please see attached debdiff; I have also added the same minor fix I wanted to push into buster, I think it’s worth it. -- Cheers, Andrej
diff --git a/debian/changelog b/debian/changelog index 689d552..23b14fc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +wpa (2:2.4-1+deb9u5) stretch; urgency=medium + + * SECURITY UPDATE: + - AP mode PMF disconnection protection bypass. + More details: + + https://w1.fi/security/2019-7/ + Closes: #940080 (CVE-2019-16275) + * Add an upstream patch to fix the MAC randomisation issue with some cards + (LP: #1867908, Closes: #954457) + + -- Andrej Shadura <andre...@debian.org> Sun, 03 May 2020 15:40:34 +0200 + wpa (2:2.4-1+deb9u4) stretch-security; urgency=high * SECURITY UPDATE (2019-5): diff --git a/debian/patches/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch b/debian/patches/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch new file mode 100644 index 0000000..935b113 --- /dev/null +++ b/debian/patches/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch @@ -0,0 +1,84 @@ +From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j...@w1.fi> +Date: Thu, 29 Aug 2019 11:52:04 +0300 +Subject: [PATCH] AP: Silently ignore management frame from unexpected source + address + +Do not process any received Management frames with unexpected/invalid SA +so that we do not add any state for unexpected STA addresses or end up +sending out frames to unexpected destination. This prevents unexpected +sequences where an unprotected frame might end up causing the AP to send +out a response to another device and that other device processing the +unexpected response. + +In particular, this prevents some potential denial of service cases +where the unexpected response frame from the AP might result in a +connected station dropping its association. + +Signed-off-by: Jouni Malinen <j...@w1.fi> +--- + src/ap/drv_callbacks.c | 13 +++++++++++++ + src/ap/ieee802_11.c | 12 ++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c +index 31587685fe3b..34ca379edc3d 100644 +--- a/src/ap/drv_callbacks.c ++++ b/src/ap/drv_callbacks.c +@@ -62,6 +62,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, + "no address"); + return -1; + } ++ ++ if (is_multicast_ether_addr(addr) || ++ is_zero_ether_addr(addr) || ++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR ++ " in received indication - ignore this indication silently", ++ __func__, MAC2STR(addr)); ++ return 0; ++ } ++ + random_add_randomness(addr, ETH_ALEN); + + hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index c85a28db44b7..e7065372e158 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -2210,6 +2210,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, + fc = le_to_host16(mgmt->frame_control); + stype = WLAN_FC_GET_STYPE(fc); + ++ if (is_multicast_ether_addr(mgmt->sa) || ++ is_zero_ether_addr(mgmt->sa) || ++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR ++ " in received frame - ignore this frame silently", ++ MAC2STR(mgmt->sa)); ++ return 0; ++ } ++ + if (stype == WLAN_FC_STYPE_BEACON) { + handle_beacon(hapd, mgmt, len, fi); + return 1; +--- a/src/utils/common.h ++++ b/src/utils/common.h +@@ -518,6 +518,11 @@ + return (a[0] & a[1] & a[2] & a[3] & a[4] & a[5]) == 0xff; + } + ++static inline int is_multicast_ether_addr(const u8 *a) ++{ ++ return a[0] & 0x01; ++} ++ + #define broadcast_ether_addr (const u8 *) "\xff\xff\xff\xff\xff\xff" + + #include "wpa_debug.h" diff --git a/debian/patches/series b/debian/patches/series index e2b1ee9..5b92495 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -56,3 +56,6 @@ CVE-2018-14526/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key- 2019-4/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch 2019-5/0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch 2019-5/0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch + +2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch +upstream-fixes/0006-nl80211-fix-RTM-NEW-DELLINK-IFLA_IFNAME.patch diff --git a/debian/patches/upstream-fixes/0006-nl80211-fix-RTM-NEW-DELLINK-IFLA_IFNAME.patch b/debian/patches/upstream-fixes/0006-nl80211-fix-RTM-NEW-DELLINK-IFLA_IFNAME.patch new file mode 100644 index 0000000..d0dc403 --- /dev/null +++ b/debian/patches/upstream-fixes/0006-nl80211-fix-RTM-NEW-DELLINK-IFLA_IFNAME.patch @@ -0,0 +1,45 @@ +From 7546c489a95a033c78331915fcdfa0e6fd74d563 Mon Sep 17 00:00:00 2001 +From: Ouden <ouden....@gmail.com> +Date: Wed, 18 Mar 2020 17:58:37 +0800 +Subject: nl80211: Fix RTM NEW/DELLINK IFLA_IFNAME copy for maximum ifname + length + +If the kernel rtm_newlink or rtm_dellink send the maximum length of +ifname (IFNAMSIZ), the event handlers in +wpa_driver_nl80211_event_rtm_addlink() and +wpa_driver_nl80211_event_rtm_dellink() did not copy the IFLA_IFNAME +value. Because the RTA_PAYLOAD (IFLA_IFNAME) length already includes the +NULL termination, that equals the IFNAMSIZ. + +Fix the condition when IFNAME reach maximum size. + +Signed-off-by: Ouden <ouden....@gmail.com> +--- + src/drivers/driver_nl80211.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c +index efcd69a..c071cc0 100644 +--- a/src/drivers/driver_nl80211.c ++++ b/src/drivers/driver_nl80211.c +@@ -920,7 +920,7 @@ static void wpa_driver_nl80211_event_rtm_newlink(void *ctx, + while (RTA_OK(attr, attrlen)) { + switch (attr->rta_type) { + case IFLA_IFNAME: +- if (RTA_PAYLOAD(attr) >= IFNAMSIZ) ++ if (RTA_PAYLOAD(attr) > IFNAMSIZ) + break; + os_memcpy(ifname, RTA_DATA(attr), RTA_PAYLOAD(attr)); + ifname[RTA_PAYLOAD(attr)] = '\0'; +@@ -1103,7 +1103,7 @@ static void wpa_driver_nl80211_event_rtm_dellink(void *ctx, + while (RTA_OK(attr, attrlen)) { + switch (attr->rta_type) { + case IFLA_IFNAME: +- if (RTA_PAYLOAD(attr) >= IFNAMSIZ) ++ if (RTA_PAYLOAD(attr) > IFNAMSIZ) + break; + os_memcpy(ifname, RTA_DATA(attr), RTA_PAYLOAD(attr)); + ifname[RTA_PAYLOAD(attr)] = '\0'; +-- +cgit v0.12 +
