diff options
| author | Gustavo Zacarias <gustavo@zacarias.com.ar> | 2015-11-11 11:09:05 -0300 |
|---|---|---|
| committer | Thomas Petazzoni <thomas.petazzoni@free-electrons.com> | 2015-11-11 15:19:13 +0100 |
| commit | 76db6b0dd0451daacf4377a752bbbf86bb94bb37 (patch) | |
| tree | ab00ee63457eb62c64fae4e36735e2bdf0e386d8 /package/wpa_supplicant/0002-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch | |
| parent | 08fc0a47e153735d54362823b8824988252c08d3 (diff) | |
| download | buildroot-76db6b0dd0451daacf4377a752bbbf86bb94bb37.tar.gz buildroot-76db6b0dd0451daacf4377a752bbbf86bb94bb37.zip | |
wpa_supplicant: add security patches
Fixes:
CVE-2015-5310 - wpa_supplicant unauthorized WNM Sleep Mode GTK control
CVE-2015-5315 - wpa_supplicant: EAP-pwd missing last fragment length
validation
CVE-2015-5316 - EAP-pwd peer error path failure on unexpected Confirm
message
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Diffstat (limited to 'package/wpa_supplicant/0002-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch')
| -rw-r--r-- | package/wpa_supplicant/0002-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/package/wpa_supplicant/0002-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch b/package/wpa_supplicant/0002-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch new file mode 100644 index 0000000000..00e5b7c771 --- /dev/null +++ b/package/wpa_supplicant/0002-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch @@ -0,0 +1,32 @@ +From 6b12d93d2c7428a34bfd4b3813ba339ed57b698a Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sun, 25 Oct 2015 15:45:50 +0200 +Subject: [PATCH] WNM: Ignore Key Data in WNM Sleep Mode Response frame if no + PMF in use + +WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is +enabled. Verify that PMF is in use before using this field on station +side to avoid accepting unauthenticated key updates. (CVE-2015-5310) + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + wpa_supplicant/wnm_sta.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c +index 954de67..7d79499 100644 +--- a/wpa_supplicant/wnm_sta.c ++++ b/wpa_supplicant/wnm_sta.c +@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s, + end = ptr + key_len_total; + wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total); + ++ if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) { ++ wpa_msg(wpa_s, MSG_INFO, ++ "WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled"); ++ return; ++ } ++ + while (ptr + 1 < end) { + if (ptr + 2 + ptr[1] > end) { + wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element " |
