Commit 8bb1a68c authored by Leo's avatar Leo
Browse files

main/hostapd: fix CVE-2020-12695

See #11626
parent a9034d49
From 5b78c8f961f25f4dc22d6f2b77ddd06d712cec63 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Wed, 3 Jun 2020 23:17:35 +0300
Subject: [PATCH 1/3] WPS UPnP: Do not allow event subscriptions with URLs to
other networks
The UPnP Device Architecture 2.0 specification errata ("UDA errata
16-04-2020.docx") addresses a problem with notifications being allowed
to go out to other domains by disallowing such cases. Do such filtering
for the notification callback URLs to avoid undesired connections to
external networks based on subscriptions that any device in the local
network could request when WPS support for external registrars is
enabled (the upnp_iface parameter in hostapd configuration).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/wps/wps_er.c | 2 +-
src/wps/wps_upnp.c | 38 ++++++++++++++++++++++++++++++++++++--
src/wps/wps_upnp_i.h | 3 ++-
3 files changed, 39 insertions(+), 4 deletions(-)
diff --git a/src/wps/wps_er.c b/src/wps/wps_er.c
index 6bded14327f8..31d2e50e4cff 100644
--- a/src/wps/wps_er.c
+++ b/src/wps/wps_er.c
@@ -1298,7 +1298,7 @@ wps_er_init(struct wps_context *wps, const char *ifname, const char *filter)
"with %s", filter);
}
if (get_netif_info(er->ifname, &er->ip_addr, &er->ip_addr_text,
- er->mac_addr)) {
+ NULL, er->mac_addr)) {
wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
"for %s. Does it have IP address?", er->ifname);
wps_er_deinit(er, NULL, NULL);
diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
index 6e10e4bc0c3f..7d4b7439940e 100644
--- a/src/wps/wps_upnp.c
+++ b/src/wps/wps_upnp.c
@@ -303,6 +303,14 @@ static void subscr_addr_free_all(struct subscription *s)
}
+static int local_network_addr(struct upnp_wps_device_sm *sm,
+ struct sockaddr_in *addr)
+{
+ return (addr->sin_addr.s_addr & sm->netmask.s_addr) ==
+ (sm->ip_addr & sm->netmask.s_addr);
+}
+
+
/* subscr_addr_add_url -- add address(es) for one url to subscription */
static void subscr_addr_add_url(struct subscription *s, const char *url,
size_t url_len)
@@ -381,6 +389,7 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
for (rp = result; rp; rp = rp->ai_next) {
struct subscr_addr *a;
+ struct sockaddr_in *addr = (struct sockaddr_in *) rp->ai_addr;
/* Limit no. of address to avoid denial of service attack */
if (dl_list_len(&s->addr_list) >= MAX_ADDR_PER_SUBSCRIPTION) {
@@ -389,6 +398,13 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
break;
}
+ if (!local_network_addr(s->sm, addr)) {
+ wpa_printf(MSG_INFO,
+ "WPS UPnP: Ignore a delivery URL that points to another network %s",
+ inet_ntoa(addr->sin_addr));
+ continue;
+ }
+
a = os_zalloc(sizeof(*a) + alloc_len);
if (a == NULL)
break;
@@ -890,11 +906,12 @@ static int eth_get(const char *device, u8 ea[ETH_ALEN])
* @net_if: Selected network interface name
* @ip_addr: Buffer for returning IP address in network byte order
* @ip_addr_text: Buffer for returning a pointer to allocated IP address text
+ * @netmask: Buffer for returning netmask or %NULL if not needed
* @mac: Buffer for returning MAC address
* Returns: 0 on success, -1 on failure
*/
int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
- u8 mac[ETH_ALEN])
+ struct in_addr *netmask, u8 mac[ETH_ALEN])
{
struct ifreq req;
int sock = -1;
@@ -920,6 +937,19 @@ int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
in_addr.s_addr = *ip_addr;
os_snprintf(*ip_addr_text, 16, "%s", inet_ntoa(in_addr));
+ if (netmask) {
+ os_memset(&req, 0, sizeof(req));
+ os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
+ if (ioctl(sock, SIOCGIFNETMASK, &req) < 0) {
+ wpa_printf(MSG_ERROR,
+ "WPS UPnP: SIOCGIFNETMASK failed: %d (%s)",
+ errno, strerror(errno));
+ goto fail;
+ }
+ addr = (struct sockaddr_in *) &req.ifr_netmask;
+ netmask->s_addr = addr->sin_addr.s_addr;
+ }
+
#ifdef __linux__
os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
if (ioctl(sock, SIOCGIFHWADDR, &req) < 0) {
@@ -1026,11 +1056,15 @@ static int upnp_wps_device_start(struct upnp_wps_device_sm *sm, char *net_if)
/* Determine which IP and mac address we're using */
if (get_netif_info(net_if, &sm->ip_addr, &sm->ip_addr_text,
- sm->mac_addr)) {
+ &sm->netmask, sm->mac_addr)) {
wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
"for %s. Does it have IP address?", net_if);
goto fail;
}
+ wpa_printf(MSG_DEBUG, "WPS UPnP: Local IP address %s netmask %s hwaddr "
+ MACSTR,
+ sm->ip_addr_text, inet_ntoa(sm->netmask),
+ MAC2STR(sm->mac_addr));
/* Listen for incoming TCP connections so that others
* can fetch our "xml files" from us.
diff --git a/src/wps/wps_upnp_i.h b/src/wps/wps_upnp_i.h
index e87a93232df1..6ead7b4e9a30 100644
--- a/src/wps/wps_upnp_i.h
+++ b/src/wps/wps_upnp_i.h
@@ -128,6 +128,7 @@ struct upnp_wps_device_sm {
u8 mac_addr[ETH_ALEN]; /* mac addr of network i.f. we use */
char *ip_addr_text; /* IP address of network i.f. we use */
unsigned ip_addr; /* IP address of network i.f. we use (host order) */
+ struct in_addr netmask;
int multicast_sd; /* send multicast messages over this socket */
int ssdp_sd; /* receive discovery UPD packets on socket */
int ssdp_sd_registered; /* nonzero if we must unregister */
@@ -158,7 +159,7 @@ struct subscription * subscription_find(struct upnp_wps_device_sm *sm,
const u8 uuid[UUID_LEN]);
void subscr_addr_delete(struct subscr_addr *a);
int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
- u8 mac[ETH_ALEN]);
+ struct in_addr *netmask, u8 mac[ETH_ALEN]);
/* wps_upnp_ssdp.c */
void msearchreply_state_machine_stop(struct advertisement_state_machine *a);
--
2.20.1
From f7d268864a2660b7239b9a8ff5ad37faeeb751ba Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Wed, 3 Jun 2020 22:41:02 +0300
Subject: [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL
path
More than about 700 character URL ended up overflowing the wpabuf used
for building the event notification and this resulted in the wpabuf
buffer overflow checks terminating the hostapd process. Fix this by
allocating the buffer to be large enough to contain the full URL path.
However, since that around 700 character limit has been the practical
limit for more than ten years, start explicitly enforcing that as the
limit or the callback URLs since any longer ones had not worked before
and there is no need to enable them now either.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/wps/wps_upnp.c | 9 +++++++--
src/wps/wps_upnp_event.c | 3 ++-
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
index 7d4b7439940e..ab685d52ecab 100644
--- a/src/wps/wps_upnp.c
+++ b/src/wps/wps_upnp.c
@@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
int rerr;
size_t host_len, path_len;
- /* url MUST begin with http: */
- if (url_len < 7 || os_strncasecmp(url, "http://", 7))
+ /* URL MUST begin with HTTP scheme. In addition, limit the length of
+ * the URL to 700 characters which is around the limit that was
+ * implicitly enforced for more than 10 years due to a bug in
+ * generating the event messages. */
+ if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) {
+ wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
goto fail;
+ }
url += 7;
url_len -= 7;
diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
index d7e6edcc6503..08a23612f338 100644
--- a/src/wps/wps_upnp_event.c
+++ b/src/wps/wps_upnp_event.c
@@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e)
struct wpabuf *buf;
char *b;
- buf = wpabuf_alloc(1000 + wpabuf_len(e->data));
+ buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
+ wpabuf_len(e->data));
if (buf == NULL)
return NULL;
wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);
--
2.20.1
From 85aac526af8612c21b3117dadc8ef5944985b476 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Thu, 4 Jun 2020 21:24:04 +0300
Subject: [PATCH 3/3] WPS UPnP: Handle HTTP initiation failures for events more
properly
While it is appropriate to try to retransmit the event to another
callback URL on a failure to initiate the HTTP client connection, there
is no point in trying the exact same operation multiple times in a row.
Replve the event_retry() calls with event_addr_failure() for these cases
to avoid busy loops trying to repeat the same failing operation.
These potential busy loops would go through eloop callbacks, so the
process is not completely stuck on handling them, but unnecessary CPU
would be used to process the continues retries that will keep failing
for the same reason.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/wps/wps_upnp_event.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
index 08a23612f338..c0d9e41d9a38 100644
--- a/src/wps/wps_upnp_event.c
+++ b/src/wps/wps_upnp_event.c
@@ -294,7 +294,7 @@ static int event_send_start(struct subscription *s)
buf = event_build_message(e);
if (buf == NULL) {
- event_retry(e, 0);
+ event_addr_failure(e);
return -1;
}
@@ -302,7 +302,7 @@ static int event_send_start(struct subscription *s)
event_http_cb, e);
if (e->http_event == NULL) {
wpabuf_free(buf);
- event_retry(e, 0);
+ event_addr_failure(e);
return -1;
}
--
2.20.1
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=hostapd
pkgver=2.7
pkgrel=5
pkgrel=6
pkgdesc="daemon for wireless software access points"
url="http://hostap.epitest.fi/hostapd/"
arch="all"
......@@ -36,15 +36,21 @@ patches="CVE-2012-4445.patch
0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch
0025-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch
CVE-2019-16275.patch
"
source="http://hostap.epitest.fi/releases/$pkgname-$pkgver.tar.gz
0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
"
source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz
$patches
$pkgname.initd
$pkgname.confd"
$pkgname.confd
"
options="!check" #no testsuite
builddir="$srcdir"/$pkgname-$pkgver/hostapd
# secfixes:
# 2.7-r6:
# - CVE-2020-12695
# 2.7-r5:
# - CVE-2019-16275
# 2.7-r4:
......@@ -69,10 +75,14 @@ builddir="$srcdir"/$pkgname-$pkgver/hostapd
prepare() {
local conf="$builddir/.config"
# This is required because our builddir is the hostapd/ directory
# inside the extracted archive, while patches mostly apply against
# the src/ directory that is in the same directory as the hostapd/
# one is
cd "$builddir"/..
for i in $patches; do
msg $i
patch -p1 -i "$srcdir"/$i
for i in "$srcdir"/*.patch; do
msg "Applying $i..."
patch -p1 -i $i
done
cd "$builddir"
......@@ -153,5 +163,8 @@ bcae73930c35d441c5615970c305abb3dff293fdec16df50823e57419b22d1aac0e780970619e0c7
da5f4248a0173cd7d07972b760631a8dc26f258e7b5be059c0d7de26e17f668945a62d2afce01ed1a1e9df6c55f9fd6ee344d4f006f5564b90a25e90e1e7c704 0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch
4734a8ab8ba1e91fc9e3d729f34527c14c291df238b02adea5acc04b0361b41d4bffca2fb13a4f464e9f007fa624117af4f50d755cb41a3129b4868da91bdf9a 0025-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch
63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38 CVE-2019-16275.patch
b76bbca282a74ef16c0303e5dbd2ccd33a62461595964d52c1481b0bfa4f41deacde56830b85409b288803b87ceb6f33cf0ccc69c5b17ec632c2d4784b872f3c 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
00cc739e78c42353a555c0de2f29defecff372927040e14407a231d1ead7ff32a37c9fd46bea7cdf1c24e3ac891bc3d483800d44fc6d2c8a12d2ae886523b12c 0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
69243af20cdcfa837c51917a3723779f4825e11436fb83311355b4ffe8f7a4b7a5747a976f7bf923038c410c9e9055b13b866d9a396913ad08bdec3a70e9f6e0 0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
b54b7c6aa17e5cb86a9b354a516eb2dbefb544df18471339c61d82776de447011a2ac290bea1e6c8beae4b6cebefafb8174683ea42fb773e9e8fe6c679f33ba3 hostapd.initd
0882263bbd7c0b05bf51f51d66e11a23a0b8ca7da2a3b8a30166d2c5f044c0c134e6bccb1d02c9e81819ca8fb0c0fb55c7121a08fe7233ccaa73ff8ab9a238fe hostapd.confd"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment