From 1ef97e5cbc0b78f121a97df7f7dae5cff939c8f0 Mon Sep 17 00:00:00 2001 From: Denis Kenzior Date: Mon, 9 May 2022 16:21:49 -0500 Subject: [PATCH] eapol: Silently discard invalid EAPoL frames Do not fail an ongoing handshake when an invalid EAPoL frame is received. Instead, follow the intent of 802.11-2020 section 12.7.2: "EAPOL-Key frames containing invalid field values shall be silently discarded." This prevents a denial-of-service attack where receipt of an invalid, unencrypted EAPoL 1/4 frame generated by an adversary results in iwd terminating an ongoing connection. Reported-by: Domien Schepers --- src/eapol.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/src/eapol.c b/src/eapol.c index e2c99991..9373ef11 100644 --- a/src/eapol.c +++ b/src/eapol.c @@ -1152,7 +1152,7 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm, l_debug("ifindex=%u", sm->handshake->ifindex); if (!eapol_verify_ptk_1_of_4(ek, sm->mic_len)) - goto error_unspecified; + return; pmkid = handshake_util_find_pmkid_kde(EAPOL_KEY_DATA(ek, sm->mic_len), EAPOL_KEY_DATA_LEN(ek, sm->mic_len)); @@ -1676,10 +1676,8 @@ static void eapol_handle_ptk_3_of_4(struct eapol_sm *sm, l_debug("ifindex=%u", hs->ifindex); - if (!eapol_verify_ptk_3_of_4(ek, hs->wpa_ie, sm->mic_len)) { - handshake_failed(sm, MMPDU_REASON_CODE_UNSPECIFIED); + if (!eapol_verify_ptk_3_of_4(ek, hs->wpa_ie, sm->mic_len)) return; - } /* * 802.11-2016, Section 12.7.6.4: @@ -2086,10 +2084,8 @@ static void eapol_handle_gtk_1_of_2(struct eapol_sm *sm, l_debug("ifindex=%u", hs->ifindex); - if (!eapol_verify_gtk_1_of_2(ek, hs->wpa_ie, sm->mic_len)) { - handshake_failed(sm, MMPDU_REASON_CODE_UNSPECIFIED); + if (!eapol_verify_gtk_1_of_2(ek, hs->wpa_ie, sm->mic_len)) return; - } oci = handshake_util_find_kde(HANDSHAKE_KDE_OCI, decrypted_key_data, decrypted_key_data_size, &oci_len);