CVS commit: src/external/bsd/wpa/dist/wpa_supplicant

Tue, 10 Nov 2015 10:40:09 -0800 

Module Name:    src
Committed By:   christos
Date:           Tue Nov 10 18:39:40 UTC 2015

Modified Files:
        src/external/bsd/wpa/dist/wpa_supplicant: wnm_sta.c

Log Message:
Apply patch by Jouni Malinen. We don't have CONFIG_EAP_PWD enabled so we are
not affected:

EAP-pwd peer error path failure on unexpected Confirm message

Published: November 10, 2015
Identifier: CVE-2015-5316
Latest version available from: http://w1.fi/security/2015-8/

Vulnerability

A vulnerability was found in EAP-pwd peer implementation used in
wpa_supplicant. If an EAP-pwd Confirm message is received unexpectedly
before the Identity exchange, the error path processing ended up
dereferencing a NULL pointer and terminating the process.

For wpa_supplicant with EAP-pwd enabled in a network configuration
profile, this could allow a denial of service attack by an attacker
within radio range.

Vulnerable versions/configurations

wpa_supplicant v2.3-v2.5 with CONFIG_EAP_PWD=y in the build
configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network
profile at runtime.

Possible mitigation steps

- Merge the following commits and rebuild wpa_supplicant:

  EAP-pwd peer: Fix error path for unexpected Confirm message

  This patch is available from http://w1.fi/security/2015-8/

- Update to wpa_supplicant v2.6 or newer, once available

- Remove CONFIG_EAP_PWD=y from build configuration

- Disable EAP-pwd in runtime configuration


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.3 -r1.2 \
    src/external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c
diff -u src/external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c:1.1.1.3 src/external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c:1.2
--- src/external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c:1.1.1.3	Wed Apr  1 15:24:39 2015
+++ src/external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c	Tue Nov 10 13:39:40 2015
@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(
 	end = ptr + key_len_total;
 	wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total);
 
+	if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) {
+		wpa_msg(wpa_s, MSG_INFO,
+			"WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled");
+		return;
+	}
+
 	while (ptr + 1 < end) {
 		if (ptr + 2 + ptr[1] > end) {
 			wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element "

Reply via email to