Do not fail an ongoing handshake when an invalid EAPoL frame is received. Instead, follow the intent of 802.11-2020 section 12.7.2: "EAPOL-Key frames containing invalid field values shall be silently discarded." This prevents a denial-of-service attack where receipt of an invalid, unencrypted EAPoL 1/4 frame generated by an adversary results in iwd terminating an ongoing connection. Reported-by: Domien Schepers <schepers.d(a)northeastern.edu&gt; --- src/eapol.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/src/eapol.c b/src/eapol.c index e2c999912f49..9373ef11e829 100644 --- a/src/eapol.c +++ b/src/eapol.c @@ -1152,7 +1152,7 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm, l_debug("ifindex=%u", sm->handshake->ifindex); if (!eapol_verify_ptk_1_of_4(ek, sm->mic_len)) - goto error_unspecified; + return; pmkid = handshake_util_find_pmkid_kde(EAPOL_KEY_DATA(ek, sm->mic_len), EAPOL_KEY_DATA_LEN(ek, sm->mic_len)); @@ -1676,10 +1676,8 @@ static void eapol_handle_ptk_3_of_4(struct eapol_sm *sm, l_debug("ifindex=%u", hs->ifindex); - if (!eapol_verify_ptk_3_of_4(ek, hs->wpa_ie, sm->mic_len)) { - handshake_failed(sm, MMPDU_REASON_CODE_UNSPECIFIED); + if (!eapol_verify_ptk_3_of_4(ek, hs->wpa_ie, sm->mic_len)) return; - } /* * 802.11-2016, Section 12.7.6.4: @@ -2086,10 +2084,8 @@ static void eapol_handle_gtk_1_of_2(struct eapol_sm *sm, l_debug("ifindex=%u", hs->ifindex); - if (!eapol_verify_gtk_1_of_2(ek, hs->wpa_ie, sm->mic_len)) { - handshake_failed(sm, MMPDU_REASON_CODE_UNSPECIFIED); + if (!eapol_verify_gtk_1_of_2(ek, hs->wpa_ie, sm->mic_len)) return; - } oci = handshake_util_find_kde(HANDSHAKE_KDE_OCI, decrypted_key_data, decrypted_key_data_size, &oci_len); -- 2.32.0