From 6e0d26671352b84fe8babc53910c2139530ca3526f2df02439cab5a43f5025c7 Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dmueller@suse.com>
Date: Mon, 27 Apr 2020 10:18:42 +0000
Subject: [PATCH] Accepting request 797132 from
 home:cfconrad:branches:Base:System

- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass
  (bsc#1150934)

OBS-URL: https://build.opensuse.org/request/show/797132
OBS-URL: https://build.opensuse.org/package/show/Base:System/hostapd?expand=0&rev=55
---
 CVE-2019-16275.patch | 73 ++++++++++++++++++++++++++++++++++++++++++++
 hostapd.changes      |  6 ++++
 hostapd.spec         |  4 ++-
 3 files changed, 82 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-16275.patch

diff --git a/CVE-2019-16275.patch b/CVE-2019-16275.patch
new file mode 100644
index 0000000..4f9c566
--- /dev/null
+++ b/CVE-2019-16275.patch
@@ -0,0 +1,73 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c    | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
++++ b/src/ap/drv_callbacks.c
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+ 			   "hostapd_notif_assoc: Skip event with no address");
+ 		return -1;
+ 	}
++
++	if (is_multicast_ether_addr(addr) ||
++	    is_zero_ether_addr(addr) ||
++	    os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
++		/* Do not process any frames with unexpected/invalid SA so that
++		 * we do not add any state for unexpected STA addresses or end
++		 * up sending out frames to unexpected destination. */
++		wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
++			   " in received indication - ignore this indication silently",
++			   __func__, MAC2STR(addr));
++		return 0;
++	}
++
+ 	random_add_randomness(addr, ETH_ALEN);
+ 
+ 	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+ 	fc = le_to_host16(mgmt->frame_control);
+ 	stype = WLAN_FC_GET_STYPE(fc);
+ 
++	if (is_multicast_ether_addr(mgmt->sa) ||
++	    is_zero_ether_addr(mgmt->sa) ||
++	    os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
++		/* Do not process any frames with unexpected/invalid SA so that
++		 * we do not add any state for unexpected STA addresses or end
++		 * up sending out frames to unexpected destination. */
++		wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
++			   " in received frame - ignore this frame silently",
++			   MAC2STR(mgmt->sa));
++		return 0;
++	}
++
+ 	if (stype == WLAN_FC_STYPE_BEACON) {
+ 		handle_beacon(hapd, mgmt, len, fi);
+ 		return 1;
+-- 
+2.20.1
+
diff --git a/hostapd.changes b/hostapd.changes
index bc1c0d9..5b6450f 100644
--- a/hostapd.changes
+++ b/hostapd.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Apr 23 22:14:35 UTC 2020 - Clemens Famulla-Conrad <cfamullaconrad@suse.com>
+
+- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass
+  (bsc#1150934) 
+
 -------------------------------------------------------------------
 Thu Sep  5 17:58:05 UTC 2019 - Michael Ströder <michael@stroeder.com>
 
diff --git a/hostapd.spec b/hostapd.spec
index 7b24f65..4a14a29 100644
--- a/hostapd.spec
+++ b/hostapd.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package hostapd
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -29,6 +29,7 @@ Source1:        https://w1.fi/releases/hostapd-%{version}.tar.gz.asc
 Source2:        %{name}.keyring
 Source3:        config
 Source4:        hostapd.service
+Patch1:         CVE-2019-16275.patch
 BuildRequires:  libnl3-devel
 BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig
@@ -48,6 +49,7 @@ authentication via any ethernet driver.
 %prep
 %setup -q
 cp %{SOURCE3} hostapd/.config
+%autopatch -p1
 
 %build
 cd hostapd