WPA: Discard EAPOL-Key msg 1/4 with corrupted information elements

Currently a corrupted handshake message 1/4 causes the client to
disconnect from the network. This can lead to a denial-of-service
vulnerability allowing an adversary to forcibly disconnect a client from
protected networks even when Wi-Fi Management Frame Protection (MFP) is
enforced if the driver allows unencrypted EAPOL-Key frames to be
received after key configuration..

Fix this by discarding the corrupted handshake message 1/4.

This issue was discovered by Domien Schepers (Northeastern University)
and Mathy Vanhoef (imec-DistriNet, KU Leuven).

Signed-off-by: Domien Schepers <schepers.d@northeastern.edu>

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index dd18236ee53bcdf0fee3b10107c33c3ee14f5c79..7758c23935e2b23327217eb5112c048ea8de6068 100644 (file)
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -694,7 +694,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
                return;
        }
 
-       wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
        wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way "
                "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
 
@@ -704,8 +703,11 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
                /* RSN: msg 1/4 should contain PMKID for the selected PMK */
                wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data",
                            key_data, key_data_len);
-               if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
-                       goto failed;
+               if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) {
+                       wpa_printf(MSG_DEBUG,
+                                  "RSN: Discard EAPOL-Key msg 1/4 with invalid IEs/KDEs");
+                       return;
+               }
                if (ie.pmkid) {
                        wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
                                    "Authenticator", ie.pmkid, PMKID_LEN);
@@ -721,6 +723,8 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
        if (res)
                goto failed;
 
+       wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
+
        if (sm->renew_snonce) {
                if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
                        wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,