419630e0be
* gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch, gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch, gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch, gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/admin.scm (wpa-supplicant-minimal)[source]: Add patches.
33 lines
1.2 KiB
Diff
33 lines
1.2 KiB
Diff
From 6b12d93d2c7428a34bfd4b3813ba339ed57b698a Mon Sep 17 00:00:00 2001
|
|
From: Jouni Malinen <j@w1.fi>
|
|
Date: Sun, 25 Oct 2015 15:45:50 +0200
|
|
Subject: [PATCH] WNM: Ignore Key Data in WNM Sleep Mode Response frame if no
|
|
PMF in use
|
|
|
|
WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is
|
|
enabled. Verify that PMF is in use before using this field on station
|
|
side to avoid accepting unauthenticated key updates. (CVE-2015-5310)
|
|
|
|
Signed-off-by: Jouni Malinen <j@w1.fi>
|
|
---
|
|
wpa_supplicant/wnm_sta.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
|
|
index 954de67..7d79499 100644
|
|
--- a/wpa_supplicant/wnm_sta.c
|
|
+++ b/wpa_supplicant/wnm_sta.c
|
|
@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s,
|
|
end = ptr + key_len_total;
|
|
wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total);
|
|
|
|
+ if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) {
|
|
+ wpa_msg(wpa_s, MSG_INFO,
|
|
+ "WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled");
|
|
+ return;
|
|
+ }
|
|
+
|
|
while (ptr + 1 < end) {
|
|
if (ptr + 2 + ptr[1] > end) {
|
|
wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element "
|