Re: Bug#949367: stretch-pu: package wpa/2:2.4-1+deb9u5
On Fri, May 01, 2020 at 05:25:19PM +0100, Adam D. Barratt wrote:
> On Sun, 2020-02-02 at 17:38 +0100, Cyril Brulebois wrote:
> > Trying to build the binaries to get that tested in a d-i environment,
> > I
> > ended up with a build failure:
> [...]
> > >
> ../src/ap/drv_callbacks.o: In function `hostapd_notif_assoc':
> > > ./wpa_supplicant/../src/ap/drv_callbacks.c:66: undefined reference
> > > to `is_multicast_ether_addr'
> > > ../src/ap/ieee802_11.o: In function `ieee802_11_mgmt':
> > > ./wpa_supplicant/../src/ap/ieee802_11.c:2213: undefined reference
> > > to `is_multicast_ether_addr'
> > > collect2: error: ld returned 1 exit status
> > > Makefile:1621: recipe for target 'wpa_supplicant' failed
> Andrej? Is there likely to be an updated patch for this soon, or should
> we reject the current upload and close this request?
Oh, I somehow forgot about it. Please see attached debdiff; I have also
added the same minor fix I wanted to push into buster, I think it’s worth
it.
--
Cheers,
Andrej
diff --git a/debian/changelog b/debian/changelog
index 689d552..23b14fc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+wpa (2:2.4-1+deb9u5) stretch; urgency=medium
+
+ * SECURITY UPDATE:
+ - AP mode PMF disconnection protection bypass.
+ More details:
+ + https://w1.fi/security/2019-7/
+ Closes: #940080 (CVE-2019-16275)
+ * Add an upstream patch to fix the MAC randomisation issue with some cards
+ (LP: #1867908, Closes: #954457)
+
+ -- Andrej Shadura <andrewsh@debian.org> Sun, 03 May 2020 15:40:34 +0200
+
wpa (2:2.4-1+deb9u4) stretch-security; urgency=high
* SECURITY UPDATE (2019-5):
diff --git a/debian/patches/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch b/debian/patches/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
new file mode 100644
index 0000000..935b113
--- /dev/null
+++ b/debian/patches/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
@@ -0,0 +1,84 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
++++ b/src/ap/drv_callbacks.c
+@@ -62,6 +62,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+ "no address");
+ return -1;
+ }
++
++ if (is_multicast_ether_addr(addr) ||
++ is_zero_ether_addr(addr) ||
++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
++ /* Do not process any frames with unexpected/invalid SA so that
++ * we do not add any state for unexpected STA addresses or end
++ * up sending out frames to unexpected destination. */
++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
++ " in received indication - ignore this indication silently",
++ __func__, MAC2STR(addr));
++ return 0;
++ }
++
+ random_add_randomness(addr, ETH_ALEN);
+
+ hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -2210,6 +2210,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+ fc = le_to_host16(mgmt->frame_control);
+ stype = WLAN_FC_GET_STYPE(fc);
+
++ if (is_multicast_ether_addr(mgmt->sa) ||
++ is_zero_ether_addr(mgmt->sa) ||
++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
++ /* Do not process any frames with unexpected/invalid SA so that
++ * we do not add any state for unexpected STA addresses or end
++ * up sending out frames to unexpected destination. */
++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
++ " in received frame - ignore this frame silently",
++ MAC2STR(mgmt->sa));
++ return 0;
++ }
++
+ if (stype == WLAN_FC_STYPE_BEACON) {
+ handle_beacon(hapd, mgmt, len, fi);
+ return 1;
+--- a/src/utils/common.h
++++ b/src/utils/common.h
+@@ -518,6 +518,11 @@
+ return (a[0] & a[1] & a[2] & a[3] & a[4] & a[5]) == 0xff;
+ }
+
++static inline int is_multicast_ether_addr(const u8 *a)
++{
++ return a[0] & 0x01;
++}
++
+ #define broadcast_ether_addr (const u8 *) "\xff\xff\xff\xff\xff\xff"
+
+ #include "wpa_debug.h"
diff --git a/debian/patches/series b/debian/patches/series
index e2b1ee9..5b92495 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -56,3 +56,6 @@ CVE-2018-14526/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-
2019-4/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch
2019-5/0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
2019-5/0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
+
+2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
+upstream-fixes/0006-nl80211-fix-RTM-NEW-DELLINK-IFLA_IFNAME.patch
diff --git a/debian/patches/upstream-fixes/0006-nl80211-fix-RTM-NEW-DELLINK-IFLA_IFNAME.patch b/debian/patches/upstream-fixes/0006-nl80211-fix-RTM-NEW-DELLINK-IFLA_IFNAME.patch
new file mode 100644
index 0000000..d0dc403
--- /dev/null
+++ b/debian/patches/upstream-fixes/0006-nl80211-fix-RTM-NEW-DELLINK-IFLA_IFNAME.patch
@@ -0,0 +1,45 @@
+From 7546c489a95a033c78331915fcdfa0e6fd74d563 Mon Sep 17 00:00:00 2001
+From: Ouden <Ouden.Biz@gmail.com>
+Date: Wed, 18 Mar 2020 17:58:37 +0800
+Subject: nl80211: Fix RTM NEW/DELLINK IFLA_IFNAME copy for maximum ifname
+ length
+
+If the kernel rtm_newlink or rtm_dellink send the maximum length of
+ifname (IFNAMSIZ), the event handlers in
+wpa_driver_nl80211_event_rtm_addlink() and
+wpa_driver_nl80211_event_rtm_dellink() did not copy the IFLA_IFNAME
+value. Because the RTA_PAYLOAD (IFLA_IFNAME) length already includes the
+NULL termination, that equals the IFNAMSIZ.
+
+Fix the condition when IFNAME reach maximum size.
+
+Signed-off-by: Ouden <Ouden.Biz@gmail.com>
+---
+ src/drivers/driver_nl80211.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
+index efcd69a..c071cc0 100644
+--- a/src/drivers/driver_nl80211.c
++++ b/src/drivers/driver_nl80211.c
+@@ -920,7 +920,7 @@ static void wpa_driver_nl80211_event_rtm_newlink(void *ctx,
+ while (RTA_OK(attr, attrlen)) {
+ switch (attr->rta_type) {
+ case IFLA_IFNAME:
+- if (RTA_PAYLOAD(attr) >= IFNAMSIZ)
++ if (RTA_PAYLOAD(attr) > IFNAMSIZ)
+ break;
+ os_memcpy(ifname, RTA_DATA(attr), RTA_PAYLOAD(attr));
+ ifname[RTA_PAYLOAD(attr)] = '\0';
+@@ -1103,7 +1103,7 @@ static void wpa_driver_nl80211_event_rtm_dellink(void *ctx,
+ while (RTA_OK(attr, attrlen)) {
+ switch (attr->rta_type) {
+ case IFLA_IFNAME:
+- if (RTA_PAYLOAD(attr) >= IFNAMSIZ)
++ if (RTA_PAYLOAD(attr) > IFNAMSIZ)
+ break;
+ os_memcpy(ifname, RTA_DATA(attr), RTA_PAYLOAD(attr));
+ ifname[RTA_PAYLOAD(attr)] = '\0';
+--
+cgit v0.12
+
Reply to: