WPS 2.0: Validate WPS attributes in management frames and WSC messages

If CONFIG_WPS_STRICT is set, validate WPS IE(s) in management frames and reject the frames if any of the mandatory attributes is missing or if an included attribute uses an invalid value. In addition, verify that all mandatory attributes are included and have valid values in the WSC messages.
2010-05-26 17:16:14 +03:00 · 2010-05-26 17:16:14 +03:00 · 54f489be45
commit 54f489be45
parent 00ae50bc87
13 changed files with 2158 additions and 0 deletions
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@ -20,6 +20,7 @@
 #include "common/ieee802_11_defs.h"
 #include "common/ieee802_11_common.h"
 #include "common/wpa_ctrl.h"
+#include "wps/wps.h"
 #include "hostapd.h"
 #include "ieee802_11.h"
 #include "sta_info.h"
@ -139,6 +140,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
 			return -1;
 		}
 	} else if (hapd->conf->wps_state) {
+#ifdef CONFIG_WPS_STRICT
+		struct wpabuf *wps;
+		wps = ieee802_11_vendor_ie_concat(ie, ielen,
+						  WPS_IE_VENDOR_TYPE);
+		if (wps && wps_validate_assoc_req(wps) < 0) {
+			hapd->drv.sta_disassoc(hapd, sta->addr,
+					       WLAN_REASON_INVALID_IE);
+			ap_free_sta(hapd, sta);
+			wpabuf_free(wps);
+			return -1;
+		}
+		wpabuf_free(wps);
+#endif /* CONFIG_WPS_STRICT */
 		if (ie && ielen > 4 && ie[0] == 0xdd && ie[1] >= 4 &&
 		    os_memcmp(ie + 2, "\x00\x50\xf2\x04", 4) == 0) {
 			sta->flags |= WLAN_STA_WPS;
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@ -664,6 +664,11 @@ static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
 							  WPS_IE_VENDOR_TYPE);
 		wpa_ie = NULL;
 		wpa_ie_len = 0;
+		if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
+			wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
+				   "(Re)Association Request - reject");
+			return WLAN_STATUS_INVALID_IE;
+		}
 	} else if (hapd->conf->wps_state && wpa_ie == NULL) {
 		wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
 			   "(Re)Association Request - possible WPS use");
--- a/src/ap/wps_hostapd.c
+++ b/src/ap/wps_hostapd.c
@ -820,6 +820,10 @@ static int hostapd_wps_probe_req_rx(void *ctx, const u8 *addr,
 	wps_ie = ieee802_11_vendor_ie_concat(ie, ie_len, WPS_DEV_OUI_WFA);
 	if (wps_ie == NULL)
 		return 0;
+	if (wps_validate_probe_req(wps_ie) < 0) {
+		wpabuf_free(wps_ie);
+		return 0;
+	}

 	if (wpabuf_len(wps_ie) > 0) {
 		wps_registrar_probe_req_rx(hapd->wps->registrar, addr, wps_ie);