Kernel/iwd
3
0
Fork 0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-25 17:59:25 +01:00
Code Releases Activity

eapol: Drop unexpectedly unencrypted PTK 1/4 frames

Browse Source 
After the initial handshake, once the TK has been installed, all frames
coming from the AP should be encrypted.  However, it seems that some
kernel/driver combinations allow unencrypted EAPoL frames to be received
and forwarded to userspace.  This can lead to a denial-of-service attack
where receipt of an invalid, unencrypted EAPoL 1/4 frame generated by an
adversary results in iwd terminating an ongoing connection.

Some drivers can report whether the EAPoL frame has been received
unencrypted.  Use this information to drop unencrypted PTK 1/4 frames
received after the initial handshake has been completed.

Reported-by: Domien Schepers <schepers.d@northeastern.edu>
This commit is contained in:
Denis Kenzior 2022-05-10 10:01:21 -05:00
parent 1ef97e5cbc
commit 5b42cb6cda
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/eapol.c
View File

@ -1154,6 +1154,11 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm,
if (!eapol_verify_ptk_1_of_4(ek, sm->mic_len))
return;
if (sm->handshake->ptk_complete && unencrypted) {
l_debug("Dropping unexpectedly unencrypted PTK 1/4 frame");
return;
}
pmkid = handshake_util_find_pmkid_kde(EAPOL_KEY_DATA(ek, sm->mic_len),
EAPOL_KEY_DATA_LEN(ek, sm->mic_len));