hostapd: merge fixes for WPA packet number reuse with replayed messages and key reinstallation

Fixes: - CERT case ID: VU#228519 - CVE-2017-13077 - CVE-2017-13078 - CVE-2017-13079 - CVE-2017-13080 - CVE-2017-13081 - CVE-2017-13082 - CVE-2017-13086 - CVE-2017-13087 - CVE-2017-13088 For more information see: https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-16 11:39:23 +02:00
parent 0d5c1d7f23
commit bbda81ce30
14 changed files with 965 additions and 29 deletions
--- a/package/network/services/hostapd/patches/600-ubus_support.patch
+++ b/package/network/services/hostapd/patches/600-ubus_support.patch
@@ -104,8 +104,8 @@
 +		.frame_info = fi,
 +	};
 
-	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
-		wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
+ 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
+ 		wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
@@ -1757,6 +1763,12 @@ static void handle_auth(struct hostapd_d
 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
 		goto fail;
@@ -116,10 +116,10 @@
 +		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
 +		goto fail;
 +	}
-	if (res == HOSTAPD_ACL_PENDING)
-		return;
-
-@@ -2860,7 +2872,7 @@ void fils_hlp_timeout(void *eloop_ctx, v
+ 	if (res == HOSTAPD_ACL_PENDING)
+ 		return;
+ 
+@@ -2870,7 +2882,7 @@ void fils_hlp_timeout(void *eloop_ctx, v
 
 static void handle_assoc(struct hostapd_data *hapd,
 			 const struct ieee80211_mgmt *mgmt, size_t len,
@@ -128,9 +128,9 @@
 {
 	u16 capab_info, listen_interval, seq_ctrl, fc;
 	u16 resp = WLAN_STATUS_SUCCESS, reply_res;
-@@ -2874,6 +2886,11 @@ static void handle_assoc(struct hostapd_
+@@ -2884,6 +2896,11 @@ static void handle_assoc(struct hostapd_
 #ifdef CONFIG_FILS
-	int delay_assoc = 0;
+ 	int delay_assoc = 0;
 #endif /* CONFIG_FILS */
 +	struct hostapd_ubus_request req = {
 +		.type = HOSTAPD_UBUS_ASSOC_REQ,
@@ -140,7 +140,7 @@
 
 	if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
 				      sizeof(mgmt->u.assoc_req))) {
-@@ -3041,6 +3058,13 @@ static void handle_assoc(struct hostapd_
+@@ -3051,6 +3068,13 @@ static void handle_assoc(struct hostapd_
 	}
 #endif /* CONFIG_MBO */
 
@@ -154,7 +154,7 @@
 	/*
 	 * sta->capability is used in check_assoc_ies() for RRM enabled
 	 * capability element.
-@@ -3248,6 +3272,7 @@ static void handle_disassoc(struct hosta
+@@ -3258,6 +3282,7 @@ static void handle_disassoc(struct hosta
 	wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
 		   MAC2STR(mgmt->sa),
 		   le_to_host16(mgmt->u.disassoc.reason_code));
@@ -162,7 +162,7 @@
 
 	sta = ap_get_sta(hapd, mgmt->sa);
 	if (sta == NULL) {
-@@ -3313,6 +3338,8 @@ static void handle_deauth(struct hostapd
+@@ -3323,6 +3348,8 @@ static void handle_deauth(struct hostapd
 		" reason_code=%d",
 		MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
 
@@ -171,7 +171,7 @@
 	sta = ap_get_sta(hapd, mgmt->sa);
 	if (sta == NULL) {
 		wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
-@@ -3627,7 +3654,7 @@ int ieee802_11_mgmt(struct hostapd_data
+@@ -3637,7 +3664,7 @@ int ieee802_11_mgmt(struct hostapd_data
 
 
 	if (stype == WLAN_FC_STYPE_PROBE_REQ) {
@@ -180,7 +180,7 @@
 		return 1;
 	}
 
-@@ -3647,17 +3674,17 @@ int ieee802_11_mgmt(struct hostapd_data
+@@ -3657,17 +3684,17 @@ int ieee802_11_mgmt(struct hostapd_data
 	switch (stype) {
 	case WLAN_FC_STYPE_AUTH:
 		wpa_printf(MSG_DEBUG, "mgmt::auth");