qcacld-3.0: Fix information leak in lim_process_auth_shared_system_algo()
cds_rand_get_bytes() fail may cause random kernel stack info to use as challenge text which is an information leak. To avoid this use send auth failure with status code REFUSED_TEMPORARILY (try again later) when random number generation fail. Change-Id: If1238343e0c911c7e1ead8b5de62c0315a701017 CRs-Fixed: 2248569
This commit is contained in:

committad av
nshrivas

förälder
65a5d53923
incheckning
fc23618216
@@ -97,12 +97,12 @@ static void lim_process_auth_shared_system_algo(tpAniSirGlobal mac_ctx,
|
||||
tpSirMacMgmtHdr mac_hdr,
|
||||
tSirMacAuthFrameBody *rx_auth_frm_body,
|
||||
tSirMacAuthFrameBody *auth_frame,
|
||||
uint8_t *challenge_txt_arr,
|
||||
tpPESession pe_session)
|
||||
{
|
||||
uint32_t val;
|
||||
uint8_t cfg_privacy_opt_imp, *challenge;
|
||||
uint8_t cfg_privacy_opt_imp;
|
||||
struct tLimPreAuthNode *auth_node;
|
||||
uint8_t challenge_txt_arr[SIR_MAC_SAP_AUTH_CHALLENGE_LENGTH] = {0};
|
||||
|
||||
pe_debug("=======> eSIR_SHARED_KEY");
|
||||
if (LIM_IS_AP_ROLE(pe_session))
|
||||
@@ -183,19 +183,39 @@ static void lim_process_auth_shared_system_algo(tpAniSirGlobal mac_ctx,
|
||||
lim_delete_pre_auth_node(mac_ctx, mac_hdr->sa);
|
||||
return;
|
||||
}
|
||||
lim_activate_auth_rsp_timer(mac_ctx, auth_node);
|
||||
auth_node->fTimerStarted = 1;
|
||||
|
||||
/*
|
||||
* get random bytes and use as challenge text.
|
||||
* If it fails we already have random stack bytes.
|
||||
*/
|
||||
if (!QDF_IS_STATUS_SUCCESS(cds_rand_get_bytes(0,
|
||||
(uint8_t *) challenge_txt_arr,
|
||||
SIR_MAC_SAP_AUTH_CHALLENGE_LENGTH)))
|
||||
get_random_bytes(challenge_txt_arr,
|
||||
SIR_MAC_SAP_AUTH_CHALLENGE_LENGTH);
|
||||
qdf_mem_zero(auth_node->challengeText,
|
||||
SIR_MAC_SAP_AUTH_CHALLENGE_LENGTH);
|
||||
if (!qdf_mem_cmp(challenge_txt_arr,
|
||||
auth_node->challengeText,
|
||||
SIR_MAC_SAP_AUTH_CHALLENGE_LENGTH)) {
|
||||
pe_err("Challenge text preparation failed");
|
||||
challenge = auth_node->challengeText;
|
||||
qdf_mem_copy(challenge, (uint8_t *)challenge_txt_arr,
|
||||
sizeof(challenge_txt_arr));
|
||||
lim_print_mac_addr(mac_ctx, mac_hdr->sa, LOGW);
|
||||
auth_frame->authAlgoNumber =
|
||||
rx_auth_frm_body->authAlgoNumber;
|
||||
auth_frame->authTransactionSeqNumber =
|
||||
rx_auth_frm_body->authTransactionSeqNumber + 1;
|
||||
auth_frame->authStatusCode = eSIR_MAC_TRY_AGAIN_LATER;
|
||||
lim_send_auth_mgmt_frame(mac_ctx,
|
||||
auth_frame,
|
||||
mac_hdr->sa,
|
||||
LIM_NO_WEP_IN_FC,
|
||||
pe_session);
|
||||
lim_delete_pre_auth_node(mac_ctx, mac_hdr->sa);
|
||||
return;
|
||||
}
|
||||
|
||||
lim_activate_auth_rsp_timer(mac_ctx, auth_node);
|
||||
auth_node->fTimerStarted = 1;
|
||||
|
||||
qdf_mem_copy(auth_node->challengeText,
|
||||
challenge_txt_arr,
|
||||
sizeof(challenge_txt_arr));
|
||||
/*
|
||||
* Sending Authenticaton frame with challenge.
|
||||
*/
|
||||
@@ -303,7 +323,6 @@ static void lim_process_auth_frame_type1(tpAniSirGlobal mac_ctx,
|
||||
{
|
||||
tpDphHashNode sta_ds_ptr = NULL;
|
||||
struct tLimPreAuthNode *auth_node;
|
||||
uint8_t challenge_txt_arr[SIR_MAC_SAP_AUTH_CHALLENGE_LENGTH];
|
||||
uint32_t maxnum_preauth;
|
||||
uint16_t associd = 0;
|
||||
|
||||
@@ -487,8 +506,7 @@ static void lim_process_auth_frame_type1(tpAniSirGlobal mac_ctx,
|
||||
|
||||
case eSIR_SHARED_KEY:
|
||||
lim_process_auth_shared_system_algo(mac_ctx, mac_hdr,
|
||||
rx_auth_frm_body, auth_frame,
|
||||
challenge_txt_arr, pe_session);
|
||||
rx_auth_frm_body, auth_frame, pe_session);
|
||||
break;
|
||||
default:
|
||||
pe_err("rx Auth frm for unsupported auth algo %d "
|
||||
|
Referens i nytt ärende
Block a user