Hello community, here is the log from the commit of package wpa_supplicant for openSUSE:Factory checked in at 2020-04-27 23:30:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/wpa_supplicant (Old) and /work/SRC/openSUSE:Factory/.wpa_supplicant.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "wpa_supplicant" Mon Apr 27 23:30:40 2020 rev:79 rq:797131 version:2.9 Changes: -------- --- /work/SRC/openSUSE:Factory/wpa_supplicant/wpa_supplicant.changes 2020-04-23 18:29:21.871964558 +0200 +++ /work/SRC/openSUSE:Factory/.wpa_supplicant.new.2738/wpa_supplicant.changes 2020-04-27 23:30:55.994651315 +0200 @@ -1,0 +2,6 @@ +Thu Apr 23 21:51:17 UTC 2020 - Clemens Famulla-Conrad <[email protected]> + +- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass + (bsc#1150934) + +------------------------------------------------------------------- New: ---- CVE-2019-16275.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wpa_supplicant.spec ++++++ --- /var/tmp/diff_new_pack.DgWW5e/_old 2020-04-27 23:30:56.846652977 +0200 +++ /var/tmp/diff_new_pack.DgWW5e/_new 2020-04-27 23:30:56.850652986 +0200 @@ -40,6 +40,7 @@ Patch4: wpa_supplicant-getrandom.patch Patch5: wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff Patch6: restore-old-dbus-interface.patch +Patch7: CVE-2019-16275.patch BuildRequires: pkgconfig BuildRequires: readline-devel BuildRequires: systemd-rpm-macros ++++++ CVE-2019-16275.patch ++++++ >From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 From: Jouni Malinen <[email protected]> Date: Thu, 29 Aug 2019 11:52:04 +0300 Subject: [PATCH] AP: Silently ignore management frame from unexpected source address Do not process any received Management frames with unexpected/invalid SA so that we do not add any state for unexpected STA addresses or end up sending out frames to unexpected destination. This prevents unexpected sequences where an unprotected frame might end up causing the AP to send out a response to another device and that other device processing the unexpected response. In particular, this prevents some potential denial of service cases where the unexpected response frame from the AP might result in a connected station dropping its association. Signed-off-by: Jouni Malinen <[email protected]> --- src/ap/drv_callbacks.c | 13 +++++++++++++ src/ap/ieee802_11.c | 12 ++++++++++++ 2 files changed, 25 insertions(+) diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c index 31587685fe3b..34ca379edc3d 100644 --- a/src/ap/drv_callbacks.c +++ b/src/ap/drv_callbacks.c @@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, "hostapd_notif_assoc: Skip event with no address"); return -1; } + + if (is_multicast_ether_addr(addr) || + is_zero_ether_addr(addr) || + os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { + /* Do not process any frames with unexpected/invalid SA so that + * we do not add any state for unexpected STA addresses or end + * up sending out frames to unexpected destination. */ + wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR + " in received indication - ignore this indication silently", + __func__, MAC2STR(addr)); + return 0; + } + random_add_randomness(addr, ETH_ALEN); hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index c85a28db44b7..e7065372e158 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, fc = le_to_host16(mgmt->frame_control); stype = WLAN_FC_GET_STYPE(fc); + if (is_multicast_ether_addr(mgmt->sa) || + is_zero_ether_addr(mgmt->sa) || + os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { + /* Do not process any frames with unexpected/invalid SA so that + * we do not add any state for unexpected STA addresses or end + * up sending out frames to unexpected destination. */ + wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR + " in received frame - ignore this frame silently", + MAC2STR(mgmt->sa)); + return 0; + } + if (stype == WLAN_FC_STYPE_BEACON) { handle_beacon(hapd, mgmt, len, fi); return 1; -- 2.20.1
