From ccdea73df2f5476b3f5695962d269650d11f421f Mon Sep 17 00:00:00 2001
From: Denis Kenzior <denkenz@gmail.com>
Date: Tue, 10 May 2022 12:22:12 -0500
Subject: [PATCH] eapol: Drop unexpectedly unencrypted EAP frames

After the initial handshake, once the TK has been installed, all frames
coming from the AP should be encrypted.  However, it seems that some
kernel/driver combinations allow unencrypted EAPoL frames to be received
and forwarded to userspace.  This can lead to a denial-of-service attack
where receipt of an invalid, unencrypted EAP-Failure frame generated by
an adversary results in iwd terminating an ongoing connection.

Some drivers can report whether the EAPoL frame has been received
unencrypted.  Use this information to drop unencrypted EAP frames
received after the initial handshake has been completed.

Reported-by: Domien Schepers <schepers.d@northeastern.edu>
---
 src/eapol.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/eapol.c b/src/eapol.c
index ff800053..45bfaa8a 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -2620,6 +2620,11 @@ static void eapol_rx_packet(uint16_t proto, const uint8_t *from,
 
 	switch (frame->header.packet_type) {
 	case 0: /* EAPOL-EAP */
+		if (sm->handshake->ptk_complete && unencrypted) {
+			l_debug("Dropping unexpected unencrypted EAP frame");
+			return;
+		}
+
 		l_timeout_remove(sm->eapol_start_timeout);
 		sm->eapol_start_timeout = 0;