[PATCH] eapol: Silently discard invalid EAPoL frames

[PATCH] eapol: Silently discard invalid EAPoL frames

[Denis Kenzior]

[-- Attachment #1: Type: text/plain, Size: 1840 bytes --]

Do not fail an ongoing handshake when an invalid EAPoL frame is
received.  Instead, follow the intent of 802.11-2020 section 12.7.2:
"EAPOL-Key frames containing invalid field values shall be silently
discarded."

This prevents a denial-of-service attack where receipt of an invalid,
unencrypted EAPoL 1/4 frame generated by an adversary results in iwd
terminating an ongoing connection.

Reported-by: Domien Schepers <schepers.d(a)northeastern.edu>
---
 src/eapol.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/src/eapol.c b/src/eapol.c
index e2c999912f49..9373ef11e829 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -1152,7 +1152,7 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm,
 	l_debug("ifindex=%u", sm->handshake->ifindex);
 
 	if (!eapol_verify_ptk_1_of_4(ek, sm->mic_len))
-		goto error_unspecified;
+		return;
 
 	pmkid = handshake_util_find_pmkid_kde(EAPOL_KEY_DATA(ek, sm->mic_len),
 					EAPOL_KEY_DATA_LEN(ek, sm->mic_len));
@@ -1676,10 +1676,8 @@ static void eapol_handle_ptk_3_of_4(struct eapol_sm *sm,
 
 	l_debug("ifindex=%u", hs->ifindex);
 
-	if (!eapol_verify_ptk_3_of_4(ek, hs->wpa_ie, sm->mic_len)) {
-		handshake_failed(sm, MMPDU_REASON_CODE_UNSPECIFIED);
+	if (!eapol_verify_ptk_3_of_4(ek, hs->wpa_ie, sm->mic_len))
 		return;
-	}
 
 	/*
 	 * 802.11-2016, Section 12.7.6.4:
@@ -2086,10 +2084,8 @@ static void eapol_handle_gtk_1_of_2(struct eapol_sm *sm,
 
 	l_debug("ifindex=%u", hs->ifindex);
 
-	if (!eapol_verify_gtk_1_of_2(ek, hs->wpa_ie, sm->mic_len)) {
-		handshake_failed(sm, MMPDU_REASON_CODE_UNSPECIFIED);
+	if (!eapol_verify_gtk_1_of_2(ek, hs->wpa_ie, sm->mic_len))
 		return;
-	}
 
 	oci = handshake_util_find_kde(HANDSHAKE_KDE_OCI, decrypted_key_data,
 					decrypted_key_data_size, &oci_len);
-- 
2.32.0