From 5b42cb6cdaa49b2222740dc3f6cc7701373f56c7 Mon Sep 17 00:00:00 2001 From: Denis Kenzior Date: Tue, 10 May 2022 10:01:21 -0500 Subject: [PATCH] eapol: Drop unexpectedly unencrypted PTK 1/4 frames After the initial handshake, once the TK has been installed, all frames coming from the AP should be encrypted. However, it seems that some kernel/driver combinations allow unencrypted EAPoL frames to be received and forwarded to userspace. This can lead to a denial-of-service attack where receipt of an invalid, unencrypted EAPoL 1/4 frame generated by an adversary results in iwd terminating an ongoing connection. Some drivers can report whether the EAPoL frame has been received unencrypted. Use this information to drop unencrypted PTK 1/4 frames received after the initial handshake has been completed. Reported-by: Domien Schepers --- src/eapol.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/eapol.c b/src/eapol.c index 9373ef11..ff800053 100644 --- a/src/eapol.c +++ b/src/eapol.c @@ -1154,6 +1154,11 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm, if (!eapol_verify_ptk_1_of_4(ek, sm->mic_len)) return; + if (sm->handshake->ptk_complete && unencrypted) { + l_debug("Dropping unexpectedly unencrypted PTK 1/4 frame"); + return; + } + pmkid = handshake_util_find_pmkid_kde(EAPOL_KEY_DATA(ek, sm->mic_len), EAPOL_KEY_DATA_LEN(ek, sm->mic_len));