qcacld-3.0: Fix information leak in lim_process_auth_shared_system_algo()

cds_rand_get_bytes() fail may cause random kernel stack info to
use as challenge text which is an information leak. To avoid this
use send auth failure with status code REFUSED_TEMPORARILY
(try again later) when random number generation fail.

Change-Id: If1238343e0c911c7e1ead8b5de62c0315a701017
CRs-Fixed: 2248569
This commit is contained in:
Arif Hussain
2018-06-01 10:56:47 -07:00
committad av nshrivas
förälder 65a5d53923
incheckning fc23618216

Visa fil

@@ -97,12 +97,12 @@ static void lim_process_auth_shared_system_algo(tpAniSirGlobal mac_ctx,
tpSirMacMgmtHdr mac_hdr,
tSirMacAuthFrameBody *rx_auth_frm_body,
tSirMacAuthFrameBody *auth_frame,
uint8_t *challenge_txt_arr,
tpPESession pe_session)
{
uint32_t val;
uint8_t cfg_privacy_opt_imp, *challenge;
uint8_t cfg_privacy_opt_imp;
struct tLimPreAuthNode *auth_node;
uint8_t challenge_txt_arr[SIR_MAC_SAP_AUTH_CHALLENGE_LENGTH] = {0};
pe_debug("=======> eSIR_SHARED_KEY");
if (LIM_IS_AP_ROLE(pe_session))
@@ -183,19 +183,39 @@ static void lim_process_auth_shared_system_algo(tpAniSirGlobal mac_ctx,
lim_delete_pre_auth_node(mac_ctx, mac_hdr->sa);
return;
}
lim_activate_auth_rsp_timer(mac_ctx, auth_node);
auth_node->fTimerStarted = 1;
/*
* get random bytes and use as challenge text.
* If it fails we already have random stack bytes.
*/
if (!QDF_IS_STATUS_SUCCESS(cds_rand_get_bytes(0,
(uint8_t *) challenge_txt_arr,
SIR_MAC_SAP_AUTH_CHALLENGE_LENGTH)))
get_random_bytes(challenge_txt_arr,
SIR_MAC_SAP_AUTH_CHALLENGE_LENGTH);
qdf_mem_zero(auth_node->challengeText,
SIR_MAC_SAP_AUTH_CHALLENGE_LENGTH);
if (!qdf_mem_cmp(challenge_txt_arr,
auth_node->challengeText,
SIR_MAC_SAP_AUTH_CHALLENGE_LENGTH)) {
pe_err("Challenge text preparation failed");
challenge = auth_node->challengeText;
qdf_mem_copy(challenge, (uint8_t *)challenge_txt_arr,
sizeof(challenge_txt_arr));
lim_print_mac_addr(mac_ctx, mac_hdr->sa, LOGW);
auth_frame->authAlgoNumber =
rx_auth_frm_body->authAlgoNumber;
auth_frame->authTransactionSeqNumber =
rx_auth_frm_body->authTransactionSeqNumber + 1;
auth_frame->authStatusCode = eSIR_MAC_TRY_AGAIN_LATER;
lim_send_auth_mgmt_frame(mac_ctx,
auth_frame,
mac_hdr->sa,
LIM_NO_WEP_IN_FC,
pe_session);
lim_delete_pre_auth_node(mac_ctx, mac_hdr->sa);
return;
}
lim_activate_auth_rsp_timer(mac_ctx, auth_node);
auth_node->fTimerStarted = 1;
qdf_mem_copy(auth_node->challengeText,
challenge_txt_arr,
sizeof(challenge_txt_arr));
/*
* Sending Authenticaton frame with challenge.
*/
@@ -303,7 +323,6 @@ static void lim_process_auth_frame_type1(tpAniSirGlobal mac_ctx,
{
tpDphHashNode sta_ds_ptr = NULL;
struct tLimPreAuthNode *auth_node;
uint8_t challenge_txt_arr[SIR_MAC_SAP_AUTH_CHALLENGE_LENGTH];
uint32_t maxnum_preauth;
uint16_t associd = 0;
@@ -487,8 +506,7 @@ static void lim_process_auth_frame_type1(tpAniSirGlobal mac_ctx,
case eSIR_SHARED_KEY:
lim_process_auth_shared_system_algo(mac_ctx, mac_hdr,
rx_auth_frm_body, auth_frame,
challenge_txt_arr, pe_session);
rx_auth_frm_body, auth_frame, pe_session);
break;
default:
pe_err("rx Auth frm for unsupported auth algo %d "