From 934b0c3a45ce0726560ccefbd992a9d385c36385 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 16 Mar 2024 11:31:37 +0200 Subject: [PATCH 7/9] Require Message-Authenticator in Access-Reject even without EAP-Message Do not allow the exception for missing Message-Authenticator in Access-Reject without EAP-Message. While such exception is allowed in RADIUS definition, there is no strong reason to maintain this since Access-Reject is supposed to include EAP-Message and even if it doesn't, discarding Access-Reject will result in the connection not completing. Signed-off-by: Jouni Malinen CVE: CVE-2024-3596 Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=934b0c3a45ce0726560ccefbd992a9d385c36385] Signed-off-by: Peter Marko --- src/ap/ieee802_1x.c | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index 89e3dd30e..6e7b75128 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -1939,16 +1939,7 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, } sta = sm->sta; - /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be - * present when packet contains an EAP-Message attribute */ - if (hdr->code == RADIUS_CODE_ACCESS_REJECT && - radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, - 0) < 0 && - radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { - wpa_printf(MSG_DEBUG, - "Allowing RADIUS Access-Reject without Message-Authenticator since it does not include EAP-Message"); - } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, - req, 1)) { + if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 1)) { wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have correct Message-Authenticator - dropped"); return RADIUS_RX_INVALID_AUTHENTICATOR; -- 2.30.2