76db6b0dd0
Fixes: CVE-2015-5310 - wpa_supplicant unauthorized WNM Sleep Mode GTK control CVE-2015-5315 - wpa_supplicant: EAP-pwd missing last fragment length validation CVE-2015-5316 - EAP-pwd peer error path failure on unexpected Confirm message Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
33 lines
1.2 KiB
Diff
33 lines
1.2 KiB
Diff
From 6b12d93d2c7428a34bfd4b3813ba339ed57b698a Mon Sep 17 00:00:00 2001
|
|
From: Jouni Malinen <j@w1.fi>
|
|
Date: Sun, 25 Oct 2015 15:45:50 +0200
|
|
Subject: [PATCH] WNM: Ignore Key Data in WNM Sleep Mode Response frame if no
|
|
PMF in use
|
|
|
|
WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is
|
|
enabled. Verify that PMF is in use before using this field on station
|
|
side to avoid accepting unauthenticated key updates. (CVE-2015-5310)
|
|
|
|
Signed-off-by: Jouni Malinen <j@w1.fi>
|
|
---
|
|
wpa_supplicant/wnm_sta.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
|
|
index 954de67..7d79499 100644
|
|
--- a/wpa_supplicant/wnm_sta.c
|
|
+++ b/wpa_supplicant/wnm_sta.c
|
|
@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s,
|
|
end = ptr + key_len_total;
|
|
wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total);
|
|
|
|
+ if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) {
|
|
+ wpa_msg(wpa_s, MSG_INFO,
|
|
+ "WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled");
|
|
+ return;
|
|
+ }
|
|
+
|
|
while (ptr + 1 < end) {
|
|
if (ptr + 2 + ptr[1] > end) {
|
|
wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element "
|