[wpa_supplicant] Cherry-pick security fixes (April 29, 2019)
09ab81b9e WPA: Clear authenticator keys for a STA on deinit/disconnection
7958223fd EAP-pwd: Use const_time_memcmp() for pwd_value >= prime comparison
8e14b030e SAE: Use const_time_memcmp() for pwd_value >= prime comparison
c3805fb62 Ignore channel switch event if AP interface is not yet ready
eb314e8af Verify that channel info is available in hostapd_hw_get_channel()
b9058266f Clear cached extended_capa pointers on hapd_deinit() call
Bug: 129344244
Test: Connect to SAE network
Test: Connect to EAP network
Test: Enable/disable SoftAP
Test: Regression test (Bug: 131703857)
Change-Id: Iac0d8a7972b905da0d0f0f7414f1eea910b8986b
diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index 8ddf754..952a3d5 100644
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -787,6 +787,13 @@
freq, ht, hapd->iconf->ch_switch_vht_config, offset,
width, channel_width_to_string(width), cf1, cf2);
+ if (!hapd->iface->current_mode) {
+ hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE80211,
+ HOSTAPD_LEVEL_WARNING,
+ "ignore channel switch since the interface is not yet ready");
+ return;
+ }
+
hapd->iface->freq = freq;
channel = hostapd_hw_get_channel(hapd, freq);
diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 20c8e8f..0bd6892 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -2486,8 +2486,12 @@
wpa_printf(MSG_DEBUG, "%s:bss[%d]->drv_priv=%p",
__func__, (int) j,
hapd_iface->bss[j]->drv_priv);
- if (hapd_iface->bss[j]->drv_priv == drv_priv)
+ if (hapd_iface->bss[j]->drv_priv == drv_priv) {
hapd_iface->bss[j]->drv_priv = NULL;
+ hapd_iface->extended_capa = NULL;
+ hapd_iface->extended_capa_mask = NULL;
+ hapd_iface->extended_capa_len = 0;
+ }
}
}
}
diff --git a/src/ap/hw_features.c b/src/ap/hw_features.c
index 9d3d990..8ac33bb 100644
--- a/src/ap/hw_features.c
+++ b/src/ap/hw_features.c
@@ -936,11 +936,16 @@
int i, channel;
struct hostapd_hw_modes *mode;
- channel = hw_get_chan(hapd->iface->current_mode, freq);
- if (channel)
- return channel;
+ if (hapd->iface->current_mode) {
+ channel = hw_get_chan(hapd->iface->current_mode, freq);
+ if (channel)
+ return channel;
+ }
+
/* Check other available modes since the channel list for the current
* mode did not include the specified frequency. */
+ if (!hapd->iface->hw_features)
+ return 0;
for (i = 0; i < hapd->iface->num_hw_features; i++) {
mode = &hapd->iface->hw_features[i];
channel = hw_get_chan(mode, freq);
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 616b205..e89a716 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -699,7 +699,7 @@
#ifdef CONFIG_DPP2
wpabuf_clear_free(sm->dpp_z);
#endif /* CONFIG_DPP2 */
- os_free(sm);
+ bin_clear_free(sm, sizeof(*sm));
}
@@ -1730,6 +1730,12 @@
case WPA_DEAUTH:
case WPA_DISASSOC:
sm->DeauthenticationRequest = TRUE;
+#ifdef CONFIG_IEEE80211R_AP
+ os_memset(sm->PMK, 0, sizeof(sm->PMK));
+ sm->pmk_len = 0;
+ os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
+ sm->xxkey_len = 0;
+#endif /* CONFIG_IEEE80211R_AP */
break;
case WPA_REAUTH:
case WPA_REAUTH_EAPOL: