Norman Henderson | 6 May 20:10 2015
Picon

Intermittent "failed to stop TX DMA"

Hi, I am getting intermittent messages (a burst e.g. 6 in a 5 min period then nothing for an hour or more):
ath: phy0: Failed to stop TX DMA, queues = 0x002! (or 008 or 00a or 100 or 102 or...) 

Initially I was running on a Dell Optiplex 390, Ubuntu 14.04.2/ hostapd 2.1/ ath9k (all stock, as distributed via Ubuntu). All fully patched (kernel 3.16.0-36-generic). Then  I installed the latest backports stable version of ath9k and the messages seemed to be less frequent - but didn't go away.

The wireless card is a DLink DWA-566 (AR-9300) - pretty basic.

Can anyone tell me what I am dealing with here? Is this a problem or just log spam? Is there a way to fix it?

Thanks, Norm
_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
Michael Braun | 6 May 13:44 2015
Picon

[PATCH] vlan: print libnl error message on vlan_add / vlan_del

Signed-off-by: Michael Braun <michael-dev <at> fami-braun.de>

v2: resent with Signed-off-by line
---
 src/ap/vlan_util.c | 51 +++++++++++++++++++++++++++++----------------------
 1 file changed, 29 insertions(+), 22 deletions(-)

diff --git a/src/ap/vlan_util.c b/src/ap/vlan_util.c
index cc54051..b1facfa 100644
--- a/src/ap/vlan_util.c
+++ b/src/ap/vlan_util.c
 <at>  <at>  -31,7 +31,7  <at>  <at> 
 */
 int vlan_add(const char *if_name, int vid, const char *vlan_if_name)
 {
-	int ret = -1;
+	int err, ret = -1;
 	struct nl_sock *handle = NULL;
 	struct nl_cache *cache = NULL;
 	struct rtnl_link *rlink = NULL;
 <at>  <at>  -58,21 +58,23  <at>  <at>  int vlan_add(const char *if_name, int vid, const char *vlan_if_name)
 		goto vlan_add_error;
 	}

-	if (nl_connect(handle, NETLINK_ROUTE) < 0) {
-		wpa_printf(MSG_ERROR, "VLAN: failed to connect to netlink");
+	if ((err = nl_connect(handle, NETLINK_ROUTE)) < 0) {
+		wpa_printf(MSG_ERROR, "VLAN: failed to connect to netlink: %s",
+			   nl_geterror(err));
 		goto vlan_add_error;
 	}

-	if (rtnl_link_alloc_cache(handle, AF_UNSPEC, &cache) < 0) {
+	if ((err = rtnl_link_alloc_cache(handle, AF_UNSPEC, &cache)) < 0) {
 		cache = NULL;
-		wpa_printf(MSG_ERROR, "VLAN: failed to alloc cache");
+		wpa_printf(MSG_ERROR, "VLAN: failed to alloc cache: %s",
+			   nl_geterror(err));
 		goto vlan_add_error;
 	}

 	if (!(if_idx = rtnl_link_name2i(cache, if_name))) {
 		/* link does not exist */
-		wpa_printf(MSG_ERROR, "VLAN: interface %s does not exist",
-			   if_name);
+		wpa_printf(MSG_ERROR, "VLAN: interface %s does not exist: %s",
+			   if_name, nl_geterror(err));
 		goto vlan_add_error;
 	}

 <at>  <at>  -92,23 +94,26  <at>  <at>  int vlan_add(const char *if_name, int vid, const char *vlan_if_name)
 		goto vlan_add_error;
 	}

-	if (rtnl_link_set_type(rlink, "vlan") < 0) {
-		wpa_printf(MSG_ERROR, "VLAN: failed to set link type");
+	if ((err = rtnl_link_set_type(rlink, "vlan")) < 0) {
+		wpa_printf(MSG_ERROR, "VLAN: failed to set link type: %s",
+			   nl_geterror(err));
 		goto vlan_add_error;
 	}

 	rtnl_link_set_link(rlink, if_idx);
 	rtnl_link_set_name(rlink, vlan_if_name);

-	if (rtnl_link_vlan_set_id(rlink, vid) < 0) {
-		wpa_printf(MSG_ERROR, "VLAN: failed to set link vlan id");
+	if ((err = rtnl_link_vlan_set_id(rlink, vid)) < 0) {
+		wpa_printf(MSG_ERROR, "VLAN: failed to set link vlan id: %s",
+			   nl_geterror(err));
 		goto vlan_add_error;
 	}

-	if (rtnl_link_add(handle, rlink, NLM_F_CREATE) < 0) {
+	if ((err = rtnl_link_add(handle, rlink, NLM_F_CREATE)) < 0) {
 		wpa_printf(MSG_ERROR, "VLAN: failed to create link %s for "
-			   "vlan %d on %s (%d)",
-			   vlan_if_name, vid, if_name, if_idx);
+			   "vlan %d on %s (%d): %s",
+			   vlan_if_name, vid, if_name, if_idx,
+			   nl_geterror(err));
 		goto vlan_add_error;
 	}

 <at>  <at>  -127,7 +132,7  <at>  <at>  vlan_add_error:

 int vlan_rem(const char *if_name)
 {
-	int ret = -1;
+	int err, ret = -1;
 	struct nl_sock *handle = NULL;
 	struct nl_cache *cache = NULL;
 	struct rtnl_link *rlink = NULL;
 <at>  <at>  -140,14 +145,16  <at>  <at>  int vlan_rem(const char *if_name)
 		goto vlan_rem_error;
 	}

-	if (nl_connect(handle, NETLINK_ROUTE) < 0) {
-		wpa_printf(MSG_ERROR, "VLAN: failed to connect to netlink");
+	if ((err = nl_connect(handle, NETLINK_ROUTE)) < 0) {
+		wpa_printf(MSG_ERROR, "VLAN: failed to connect to netlink: %s",
+			   nl_geterror(err));
 		goto vlan_rem_error;
 	}

-	if (rtnl_link_alloc_cache(handle, AF_UNSPEC, &cache) < 0) {
+	if ((err = rtnl_link_alloc_cache(handle, AF_UNSPEC, &cache)) < 0) {
 		cache = NULL;
-		wpa_printf(MSG_ERROR, "VLAN: failed to alloc cache");
+		wpa_printf(MSG_ERROR, "VLAN: failed to alloc cache: %s",
+			   nl_geterror(err));
 		goto vlan_rem_error;
 	}

 <at>  <at>  -158,9 +165,9  <at>  <at>  int vlan_rem(const char *if_name)
 		goto vlan_rem_error;
 	}

-	if (rtnl_link_delete(handle, rlink) < 0) {
-		wpa_printf(MSG_ERROR, "VLAN: failed to remove link %s",
-			   if_name);
+	if ((err = rtnl_link_delete(handle, rlink)) < 0) {
+		wpa_printf(MSG_ERROR, "VLAN: failed to remove link %s: %s",
+			   if_name, nl_geterror(err));
 		goto vlan_rem_error;
 	}

--

-- 
1.9.1
volker.obhof.w | 6 May 13:10 2015
Picon

Send neighbor request (radio measurement) action frame

I want to send a neighbor request frame.

 

I use Action Category 5 and action 4 for neighbor request but I don’t know if it really works because I can’t receive any action frame which should be sent with wireshark.

In this code, wpa_drv_send_action returns 0, so I think the action frame should be sent.

 

Is the following debug output correct that wpa_supplicant sends an action frame?

  data = os_zalloc(3);
  data[0] = 0x05; //action category: radio measurment
  data[1] = 0x04; //action: neighbor report request

  data[2] = 0x00; //dialog token 
  if(wpa_s != NULL)
  {
     result = wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0,
                                  wpa_s->bssid, wpa_s->own_addr, wpa_s->bssid,
                                  data, 3, 0);
    
     if(result < 0)
     {
       wpa_printf(MSG_DEBUG, "Failed to send Neighbor Request "
                             "(action=%d, intval=%d)", 0x04, 15);
     }
     //os_free(data);
  }

I get the following Debug Output:

 

nl80211: Send Action frame (ifindex=4, freq=2462 MHz wait=0 ms no_cck=0)
nl80211: CMD_FRAME freq=2462 wait=0 no_cck=0 no_ack=0 offchanok=1
CMD_FRAME - hexdump(len=27): d0 00 00 00 00 0e 8e 45 02 bf 04 f0 21 01 3d 86 00 0e 8e 45 02 bf 00 00 05 04 00
nl80211: Frame TX command accepted; cookie 0xffff8805f374ed00
nl80211: Event message available
nl80211: Drv Event 60 (NL80211_CMD_FRAME_TX_STATUS) received for wlan0
nl80211: MLME event 60 (NL80211_CMD_FRAME_TX_STATUS) on wlan0(04:f0:21:01:3d:86) A1=00:0e:8e:45:02:bf A2=04:f0:21:01:3d:86
nl80211: MLME event frame - hexdump(len=27): d0 00 da 00 00 0e 8e 45 02 bf 04 f0 21 01 3d 86 00 0e 8e 45 02 bf a0 1d 05 04 00
nl80211: Frame TX status event
nl80211: Action TX status: cookie=0ffff8805f374ed00 (match) (ack=1)
wlan0: Event TX_STATUS (19) received
wlan0: EVENT_TX_STATUS dst=00:0e:8e:45:02:bf type=0 stype=13

 

 

 

 




SEW-EURODRIVE GmbH & Co KG
Kommanditgesellschaft, Sitz: Bruchsal, RG Mannheim HRA 230970
Komplementärin: SEW-EURODRIVE Verwaltungs-GmbH, Sitz: Bruchsal, RG Mannheim HRB 230207

Gesellschafter: Jürgen Blickle, Rainer Blickle
Geschäftsführer: Jürgen Blickle (Vorsitzender), Johann Soder, Dr. Jürgen Zanghellini
_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
Matthias May | 6 May 09:18 2015

[PATCHv2] hostapd: check validity of cwmin/cwmax values

Signed-off-by: Matthias May <matthias.may <at> neratec.com>
---
 src/ap/ap_config.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index c44f70d..07fb9d2 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
 <at>  <at>  -842,6 +842,26  <at>  <at>  static int hostapd_config_check_bss(struct hostapd_bss_config *bss,
 	return 0;
 }

+int hostapd_config_check_cw(struct hostapd_config *conf, int queue)
+{
+	int tx_cwmin = conf->tx_queue[queue].cwmin;
+	int tx_cwmax = conf->tx_queue[queue].cwmax;
+	int ac_cwmin = conf->wmm_ac_params[queue].cwmin;
+	int ac_cwmax = conf->wmm_ac_params[queue].cwmax;
+
+	if (tx_cwmin > tx_cwmax) {
+		wpa_printf(MSG_ERROR, "Invalid TX queue cwMin/cwMax values. "
+		"cwMin(%d) greater than cwMax(%d)", tx_cwmin, tx_cwmax);
+		return -1;
+	}
+	if (ac_cwmin > ac_cwmax) {
+		wpa_printf(MSG_ERROR, "Invalid WMM ac cwMin/cwMax values. "
+		"cwMin(%d) greater than cwMax(%d)", ac_cwmin, ac_cwmax);
+		return -1;
+	}
+	return 0;
+}
+

 int hostapd_config_check(struct hostapd_config *conf, int full_config)
 {
 <at>  <at>  -872,6 +892,11  <at>  <at>  int hostapd_config_check(struct hostapd_config *conf, int full_config)
 		return -1;
 	}

+	for (i = 0; i < 4; i++) {
+		if (hostapd_config_check_cw(conf, i))
+			return -1;
+	}
+
 	for (i = 0; i < conf->num_bss; i++) {
 		if (hostapd_config_check_bss(conf->bss[i], conf, full_config))
 			return -1;
--

-- 
2.1.4
Matthias May | 5 May 15:55 2015

[PATCH] hostapd: check validity of cwmin/cwmax values

Add checks to ensure no invalid cwmin/cwmax parameter are set.

Signed-off-by: Matthias May <matthias.may <at> neratec.com>
---
 hostapd/config_file.c          | 5 +++++
 src/common/ieee802_11_common.c | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 0c1f401..a30260f 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
 <at>  <at>  -967,6 +967,11  <at>  <at>  static int hostapd_config_tx_queue(struct hostapd_config *conf, char *name,
 		wpa_printf(MSG_ERROR, "Unknown tx_queue field '%s'", pos);
 		return -1;
 	}
+	if (queue->cwmin > queue->cwmax) {
+		wpa_printf(MSG_ERROR, "Invalid TX queue cwMin/cwMax values. "
+		"min(%d) greater than max(%d)", queue->cwmin, queue->cwmax);
+		return -1;
+	}

 	return 0;
 }
diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index e23007a..c729c61 100644
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c
 <at>  <at>  -534,6 +534,11  <at>  <at>  int hostapd_config_wmm_ac(struct hostapd_wmm_ac_params wmm_ac_params[],
 		wpa_printf(MSG_ERROR, "Unknown wmm_ac_ field '%s'", pos);
 		return -1;
 	}
+	if (ac->cwmin > ac->cwmax) {
+		wpa_printf(MSG_ERROR, "Invalid WMM ac cwMin/cwMax values. "
+		"min(%d) greater than max(%d)", ac->cwmin, ac->cwmax);
+		return -1;
+	}

 	return 0;
 }
--

-- 
2.1.4
Ilan Peer | 5 May 11:36 2015
Picon

[PATCH 00/17] Fix some tests to also work with a dedicate P2P Device

This series addresses some failures found when running the tests with a
configuration that always enables the usage of a dedicated P2P Device interface.

Ben Rosenfeld (15):
  tests: fix test_ap_pmf to use own_addr
  tests: change p2p_set_ssid_postfix() to use the group interface to get
    the ssid
  tests: change set_country() to use the global interface to get country
    event
  tests: change test_p2p_messages to use global interface
  tests: change test_p2p_persistent to use the global control interface
  tests: Remove all P2P networks in call to reset
  tests: change test_persistent_group_per_sta_psk() to use global
    interface
  tests: change list_networks() to use global interface with P2P
  tests: change persistent_group_invite_removed_client() to use global
    interface
  tests: change persistent_go_client_list() to use global interface
  tests: change p2p_device_misuses() to use group interface
  P2P: when removing a P2P client start from current interface
  tests: use list_networks with p2p=true in test_p2p_channel
  tests: update group_ifname after group started
  tests: change p2p_device_nfc_invite() to use global interface

Ilan Peer (2):
  tests: Fix test_p2ps.py to save group results
  tests: Skip some tests in P2PS when a dedicated P2P Device is used

 tests/hwsim/test_ap_pmf.py         |  4 ++--
 tests/hwsim/test_p2p_channel.py    |  4 ++--
 tests/hwsim/test_p2p_device.py     |  4 ++--
 tests/hwsim/test_p2p_messages.py   | 28 +++++++++++------------
 tests/hwsim/test_p2p_persistent.py | 34 +++++++++++++++-------------
 tests/hwsim/test_p2p_set.py        |  2 +-
 tests/hwsim/test_p2ps.py           | 46 +++++++++++++++++++++++++++++++++-----
 tests/hwsim/wpasupplicant.py       |  8 +++++--
 wpa_supplicant/p2p_supplicant.c    |  2 +-
 9 files changed, 87 insertions(+), 45 deletions(-)

--

-- 
1.9.1
Rajkumar Manoharan | 5 May 09:55 2015

[PATCH] hostapd: add VHT channel switch IEs

Add wide band channel switch and VHT tx power envelope IEs for
VHT bandwidth channel switch.

Signed-off-by: Rajkumar Manoharan <rmanohar <at> qti.qualcomm.com>
---
 src/ap/beacon.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 72 insertions(+), 1 deletion(-)

diff --git a/src/ap/beacon.c b/src/ap/beacon.c
index 7009855..d01361b 100644
--- a/src/ap/beacon.c
+++ b/src/ap/beacon.c
 <at>  <at>  -316,7 +316,7  <at>  <at>  static u8 * hostapd_eid_csa(struct hostapd_data *hapd, u8 *eid)
 }

 
-static u8 * hostapd_eid_secondary_channel(struct hostapd_data *hapd, u8 *eid)
+static u8 *hostapd_eid_secondary_channel(struct hostapd_data *hapd, u8 *eid)
 {
 	u8 sec_ch;

 <at>  <at>  -337,6 +337,72  <at>  <at>  static u8 * hostapd_eid_secondary_channel(struct hostapd_data *hapd, u8 *eid)
 	return eid;
 }

+static u8 *hostapd_eid_wide_bw_chansw(struct hostapd_data *hapd, u8 *eid)
+{
+	struct hostapd_freq_params *params = &hapd->cs_freq_params;
+	u8 chan;
+
+	if (!params->freq)
+		return eid;
+
+	if (ieee80211_freq_to_chan(params->freq, &chan) ==
+	    NUM_HOSTAPD_MODES)
+		return eid;
+
+	*eid++ = WLAN_EID_VHT_WIDE_BW_CHSWITCH;
+	*eid++ = 3;
+
+	switch (params->bandwidth) {
+	case 40:
+		*eid++ = VHT_CHANWIDTH_USE_HT;
+		break;
+	case 80:
+		*eid++ = VHT_CHANWIDTH_80MHZ;
+		break;
+	case 160:
+		*eid++ = VHT_CHANWIDTH_160MHZ;
+		break;
+	}
+	*eid++ = params->freq + params->sec_channel_offset * 10;
+	*eid++ = params->center_freq2;
+
+	return eid;
+}
+
+static u8 *hostapd_eid_vht_txpwr_env(struct hostapd_data *hapd, u8 *eid)
+{
+	struct hostapd_freq_params *params = &hapd->cs_freq_params;
+	struct hostapd_hw_modes *mode = hapd->iface->current_mode;
+	struct hostapd_channel_data *chan;
+	int i;
+	u8 channel;
+
+	if (!params->freq)
+		return eid;
+
+	if (ieee80211_freq_to_chan(params->freq, &channel) ==
+	    NUM_HOSTAPD_MODES)
+		return eid;
+
+	for (i = 0; i < mode->num_channels; i++) {
+		if (mode->channels[i].freq == params->freq)
+			break;
+	}
+	if (i == mode->num_channels)
+		return eid;
+
+	chan = &mode->channels[i];
+
+	*eid++ = WLAN_EID_VHT_TRANSMIT_POWER_ENVELOPE;
+	*eid++ = 5;
+	*eid++ = 2;
+	*eid++ = chan->max_tx_power;
+	*eid++ = chan->max_tx_power;
+	*eid++ = chan->max_tx_power;
+	*eid++ = chan->max_tx_power;
+
+	return eid;
+}

 static u8 * hostapd_add_csa_elems(struct hostapd_data *hapd, u8 *pos,
 				  u8 *start, unsigned int *csa_counter_off)
 <at>  <at>  -354,6 +420,11  <at>  <at>  static u8 * hostapd_add_csa_elems(struct hostapd_data *hapd, u8 *pos,
 		*csa_counter_off = pos - start - 1;
 		pos = hostapd_eid_secondary_channel(hapd, pos);
 	}
+	if (hapd->cs_freq_params.bandwidth > 20 &&
+	    hapd->cs_freq_params.vht_enabled) {
+		pos = hostapd_eid_wide_bw_chansw(hapd, pos);
+		pos = hostapd_eid_vht_txpwr_env(hapd, pos);
+	}

 	return pos;
 }
--

-- 
2.3.7
Ilan Peer | 4 May 14:50 2015
Picon

[PATCH v2] P2P: Fix association with an AP/P2P GO that is not a P2P manager

Do not add a P2P IE when a station interface is trying to associate
to an AP or P2P GO that publishes a P2P IE but does not include
a P2P manageability attribute.

This addresses an interoperability issue that was reported in
https://bugzilla.kernel.org/show_bug.cgi?id=96471, where a P2P GO
rejects association from a station interface without a specified
reason.

Signed-off-by: Ilan Peer <ilan.peer <at> intel.com>
---
 src/p2p/p2p.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index a45fe73..35e0c95 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
 <at>  <at>  -2485,10 +2485,20  <at>  <at>  static int p2p_assoc_req_ie_wlan_ap(struct p2p_data *p2p, const u8 *bssid,
 	size_t tmplen;
 	int res;
 	u8 group_capab;
+	struct p2p_message msg;

 	if (p2p_ie == NULL)
 		return 0; /* WLAN AP is not a P2P manager */

+	if (p2p_parse_p2p_ie(p2p_ie, &msg) < 0)
+		return 0;
+
+	p2p_dbg(p2p, "BSS P2P manageability %s",
+		msg.manageability ? "enabled" : "disabled");
+
+	if (!msg.manageability)
+		return 0;
+
 	/*
 	 * (Re)Association Request - P2P IE
 	 * P2P Capability attribute (shall be present)
--

-- 
1.9.1
Jouni Malinen | 4 May 10:34 2015
Picon

EAP-pwd missing payload length validation

Published: May 4, 2015
Latest version available from: http://w1.fi/security/2015-4/

Vulnerability

A vulnerability was found in EAP-pwd server and peer implementation used
in hostapd and wpa_supplicant, respectively. The EAP-pwd/Commit and
EAP-pwd/Confirm message payload is processed without verifying that the
received frame is long enough to include all the fields. This results in
buffer read overflow of up to couple of hundred bytes.

The exact result of this buffer overflow depends on the platform and may
be either not noticeable (i.e., authentication fails due to invalid data
without any additional side effects) or process termination due to the
buffer read overflow being detected and stopped. The latter case could
potentially result in denial of service when EAP-pwd authentication is
used.

Further research into this issue found that the fragment reassembly
processing is also missing a check for the Total-Length field and this
could result in the payload length becoming negative. This itself would
not add more to the vulnerability due to the payload length not being
verified anyway. However, it is possible that a related reassembly step
would result in hitting an internal security check on buffer use and
result in the processing being terminated.

Vulnerable versions/configurations

hostapd v1.0-v2.4 with CONFIG_EAP_PWD=y in the build configuration
(hostapd/.config) and EAP-pwd authentication server enabled in runtime
configuration.

wpa_supplicant v1.0-v2.4 with CONFIG_EAP_PWD=y in the build
configuration (wpa_supplicant/.config) and EAP-pwd enabled in a network
profile at runtime.

Acknowledgments

Thanks to Kostya Kortchinsky of Google Security Team for discovering and
reporting this issue.

Possible mitigation steps

- Merge the following commits and rebuild hostapd/wpa_supplicant:

  EAP-pwd peer: Fix payload length validation for Commit and Confirm
  EAP-pwd server: Fix payload length validation for Commit and Confirm
  EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
  EAP-pwd server: Fix Total-Length parsing for fragment reassembly
  EAP-pwd peer: Fix asymmetric fragmentation behavior

  These patches are available from http://w1.fi/security/2015-4/

- Update to hostapd/wpa_supplicant v2.5 or newer, once available

- Remove CONFIG_EAP_PWD=y from build configuration

- Disable EAP-pwd in runtime configuration

--

-- 
Jouni Malinen                                            PGP id EFC895FA
Jouni Malinen | 4 May 10:33 2015
Picon

Integer underflow in AP mode WMM Action frame processing

Published: May 4, 2015
Latest version available from: http://w1.fi/security/2015-3/

Vulnerability

A vulnerability was found in WMM Action frame processing in a case where
hostapd or wpa_supplicant is used to implement AP mode MLME/SME
functionality (i.e., Host AP driver of a mac80211-based driver on
Linux).

The AP mode WMM Action frame parser in hostapd/wpa_supplicant goes
through the variable length information element part with the length of
this area calculated by removing the header length from the total length
of the frame. The frame length is previously verified to be large enough
to include the IEEE 802.11 header, but the couple of additional bytes
after this header are not explicitly verified and as a result of this,
there may be an integer underflow that results in the signed integer
variable storing the length becoming negative. This negative value is
then interpreted as a very large unsigned integer length when parsing
the information elements. This results in a buffer read overflow and
process termination.

This vulnerability can be used to perform denial of service attacks by
an attacker that is within radio range of the AP that uses hostapd of
wpa_supplicant for MLME/SME operations.

Vulnerable versions/configurations

hostapd v0.5.5-v2.4 with CONFIG_DRIVER_HOSTAP=y or
CONFIG_DRIVER_NL80211=y in the build configuration (hostapd/.config).

wpa_supplicant v0.7.0-v2.4 with CONFIG_AP=y or CONFIG_P2P=y and
CONFIG_DRIVER_HOSTAP=y or CONFIG_DRIVER_NL80211=y in the build
configuration (wpa_supplicant/.config) and AP (including P2P GO) mode
used at runtime.

Acknowledgments

Thanks to Kostya Kortchinsky of Google Security Team for discovering and
reporting this issue.

Possible mitigation steps

- Merge the following commit and rebuild hostapd/wpa_supplicant:

  AP WMM: Fix integer underflow in WMM Action frame parser

  This patch is available from http://w1.fi/security/2015-3/

- Update to hostapd/wpa_supplicant v2.5 or newer, once available

- wpa_supplicant: Do not enable AP mode or P2P GO operation at runtime

--

-- 
Jouni Malinen                                            PGP id EFC895FA
Jouni Malinen | 4 May 10:33 2015
Picon

WPS UPnP vulnerability with HTTP chunked transfer encoding

Published: May 4, 2015
Latest version available from: http://w1.fi/security/2015-2/

Vulnerability

A vulnerability was found in the WPS UPnP function shared by hostapd
(WPS AP) and wpa_supplicant (WPS external registrar). The HTTP
implementation used for the UPnP operations uses a signed integer for
storing the length of a HTTP chunk when the chunked transfer encoding
and may end up using a negative value when the chunk length is indicated
as 0x8000000 or longer. The length validation steps do not handle the
negative value properly and may end up accepting the length and passing
a negative value to the memcpy when copying the received data from a
stack buffer to a heap buffer allocated for the full request. This
results in stack buffer read overflow and heap buffer write overflow.

Taken into account both hostapd and wpa_supplicant use only a single
thread, the memcpy call with a negative length value results in heap
corruption, but due to the negative parameter being interpreted as a
huge positive integer, process execution terminates in practice before
being able to run any following operations with the corrupted heap. This
may allow a possible denial of service attack through
hostapd/wpa_supplicant process termination under certain conditions.

WPS UPnP operations are performed over a trusted IP network connection,
i.e., an attack against this vulnerability requires the attacker to have
access to the IP network. In addition, this requires the WPS UPnP
functionality to be enabled at runtime. For WPS AP (hostapd) with a
wired network connectivity, this is commonly enabled. For WPS station
(wpa_supplicant) WPS UPnP functionality is used only when WPS ER
functionality has been enabled at runtime (WPS_ER_START command issued
over the control interface). The vulnerable functionality is not
reachable without that command having been issued.

Vulnerable versions/configurations

hostapd v0.7.0-v2.4 with CONFIG_WPS_UPNP=y in the build configuration
(hostapd/.config) and upnp_iface parameter included in the runtime
configuration.

wpa_supplicant v0.7.0-v2.4 with CONFIG_WPS_ER=y in the build
configuration (wpa_supplicant/.config) and WPS ER functionality enabled
at runtime with WPS_ER_START control interface command.

Acknowledgments

Thanks to Kostya Kortchinsky of Google Security Team for discovering and
reporting this issue.

Possible mitigation steps

- Merge the following commit and rebuild hostapd/wpa_supplicant:

  WPS: Fix HTTP chunked transfer encoding parser

  This patch is available from http://w1.fi/security/2015-2/

- Update to hostapd/wpa_supplicant v2.5 or newer, once available

- Disable WPS UPnP in hostapd runtime configuration (remove the
  upnp_iface parameter from the configuration file)

- Do not enable WPS ER at runtime in wpa_supplicant (WPS_ER_START
  control interface command)

- Disable WPS UPnP/ER from the build (remove CONFIG_WPS_UPNP=y from
  hostapd/.config and CONFIG_WPS_ER=y from wpa_supplicant/.config)

--

-- 
Jouni Malinen                                            PGP id EFC895FA

Gmane