From 37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 16 Mar 2024 11:22:43 +0200 Subject: [PATCH 5/9] hostapd: Move Message-Authenticator attribute to be the first one in req Even if this is not strictly speaking necessary for mitigating certain RADIUS protocol attacks, be consistent with the RADIUS server behavior and move the Message-Authenticator attribute to be the first attribute in the message from RADIUS client in hostapd. Signed-off-by: Jouni Malinen CVE: CVE-2024-3596 Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17] Signed-off-by: Peter Marko --- src/ap/ieee802_11_auth.c | 3 +++ src/ap/ieee802_1x.c | 3 +++ 2 files changed, 6 insertions(+) diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c index 47cc625be..2a950cf7f 100644 --- a/src/ap/ieee802_11_auth.c +++ b/src/ap/ieee802_11_auth.c @@ -119,6 +119,9 @@ static int hostapd_radius_acl_query(struct hostapd_data *hapd, const u8 *addr, goto fail; } + if (!radius_msg_add_msg_auth(msg)) + goto fail; + os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr)); if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf, os_strlen(buf))) { diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index 753c88335..89e3dd30e 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -702,6 +702,9 @@ void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, goto fail; } + if (!radius_msg_add_msg_auth(msg)) + goto fail; + if (sm->identity && !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, sm->identity, sm->identity_len)) { -- 2.30.2