From f54157077f799d84ce26bed6ad6b01c4a16e31cf Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 16 Mar 2024 11:26:58 +0200
Subject: [PATCH 6/9] RADIUS DAS: Move Message-Authenticator attribute to be
 the first one

Even if this might not be strictly speaking necessary for mitigating
certain RADIUS protocol attacks, be consistent with the RADIUS server
behavior and move the Message-Authenticator attribute to be the first
attribute in the RADIUS DAS responses from hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>

CVE: CVE-2024-3596
Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=f54157077f799d84ce26bed6ad6b01c4a16e31cf]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 src/radius/radius_das.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/radius/radius_das.c b/src/radius/radius_das.c
index aaa3fc267..8d7c9b4c4 100644
--- a/src/radius/radius_das.c
+++ b/src/radius/radius_das.c
@@ -177,6 +177,11 @@ fail:
 	if (reply == NULL)
 		return NULL;
 
+	if (!radius_msg_add_msg_auth(reply)) {
+		radius_msg_free(reply);
+		return NULL;
+	}
+
 	if (error) {
 		if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE,
 					       error)) {
@@ -368,6 +373,11 @@ fail:
 	if (!reply)
 		return NULL;
 
+	if (!radius_msg_add_msg_auth(reply)) {
+		radius_msg_free(reply);
+		return NULL;
+	}
+
 	if (error &&
 	    !radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, error)) {
 		radius_msg_free(reply);
-- 
2.30.2