DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Do not start SA Query procedure without keys

Browse source 
The AP mode condition for initiating the SA Query procedure when
receiving a new (Re)Association Request frame used only association
state and MFP negotiation result without checking that the key exchange
has been completed. This can give rise to a corner case where the SA
Query procedure may get started after open association but before the
4-way handshake has been completed, resulting in open SA query frames
over the air.

Fix this by adding station authorized check in hostapd_notif_assoc() and
check_assoc_ies().

Signed-off-by: Rohan <drohan@codeaurora.org>
This commit is contained in:
Rohan 2020-08-14 19:06:15 +05:30 committed by Jouni Malinen
parent a92660a00e
commit e3ba0c4cd2
2 changed files with 12 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/ap/drv_callbacks.c
View file

@ -388,13 +388,15 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
goto fail; goto fail;
} }
if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) == if ((sta->flags &
(WLAN_STA_ASSOC | WLAN_STA_MFP) && (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) ==
(WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED) &&
!sta->sa_query_timed_out && !sta->sa_query_timed_out &&
sta->sa_query_count > 0) sta->sa_query_count > 0)
ap_check_sa_query_timeout(hapd, sta); ap_check_sa_query_timeout(hapd, sta);
if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) == if ((sta->flags &
(WLAN_STA_ASSOC | WLAN_STA_MFP) && (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) ==
(WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED) &&
!sta->sa_query_timed_out && !sta->sa_query_timed_out &&
(sta->auth_alg != WLAN_AUTH_FT)) { (sta->auth_alg != WLAN_AUTH_FT)) {
/* /*

10
src/ap/ieee802_11.c
View file

@ -3328,13 +3328,15 @@ static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
resp = wpa_res_to_status_code(res); resp = wpa_res_to_status_code(res);
if (resp != WLAN_STATUS_SUCCESS) if (resp != WLAN_STATUS_SUCCESS)
return resp; return resp;
if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) == if ((sta->flags &
(WLAN_STA_ASSOC | WLAN_STA_MFP) && (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) ==
(WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED) &&
!sta->sa_query_timed_out && !sta->sa_query_timed_out &&
sta->sa_query_count > 0) sta->sa_query_count > 0)
ap_check_sa_query_timeout(hapd, sta); ap_check_sa_query_timeout(hapd, sta);
if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) == if ((sta->flags &
(WLAN_STA_ASSOC | WLAN_STA_MFP) && (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) ==
(WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED) &&
!sta->sa_query_timed_out && !sta->sa_query_timed_out &&
(!reassoc || sta->auth_alg != WLAN_AUTH_FT)) { (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
/* /*