[PATCH 18/44] test: FT RRB internal delivery to non-WPA BSS

michael-dev at fami-braun.de michael-dev at fami-braun.de
Wed Feb 24 03:53:24 PST 2016 

From: Michael Braun <michael-dev at fami-braun.de>

A malcious station could try to do FT-over-DS with a non WPA-enabled BSS.
When this BSS is located in the same hostapd instance, internal RRB
delivery will be used and thus the FT Action Frame will be processed by a
non-WPA enabled BSS. This processing will crash hostapd as hapd->wpa_auth
is null.

This test implements such a malcious request and checks for hostapd
crashing.

Signed-off-by: Michael Braun <michael-dev at fami-braun.de>
---
 tests/hwsim/test_ap_ft.py | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/tests/hwsim/test_ap_ft.py b/tests/hwsim/test_ap_ft.py
index 7d0f515..4143072 100644
--- a/tests/hwsim/test_ap_ft.py
+++ b/tests/hwsim/test_ap_ft.py
@@ -1444,3 +1444,30 @@ def test_ap_ft_bridge(dev, apdev):
     finally:
         subprocess.call(['ip', 'link', 'set', 'dev', "brft", 'down'])
         subprocess.call(['brctl', 'delbr', "brft"])
+
+def test_ap_ft_internal_rrb_check(dev, apdev):
+    """RRB internal delivery only to wpa enabled bss"""
+    ssid = "test-ft"
+    passphrase="12345678"
+
+    radius = hostapd.radius_params()
+    params = ft_params1(ssid=ssid, passphrase=passphrase)
+    params['wpa_key_mgmt'] = "FT-EAP"
+    params["ieee8021x"] = "1"
+    params = dict(radius.items() + params.items())
+    hapd = hostapd.add_ap(apdev[0]['ifname'], params)
+    key_mgmt = hapd.get_config()['key_mgmt']
+    if key_mgmt.split(' ')[0] != "FT-EAP":
+        raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
+
+    hapd1 = hostapd.add_ap(apdev[1]['ifname'], { "ssid" : ssid })
+
+    # connect to WPA enabled AP
+    dev[0].connect(ssid, key_mgmt="FT-EAP", proto="WPA2", ieee80211w="1",
+                   eap="GPSK", identity="gpsk user",
+                   password="abcdefghijklmnop0123456789abcdef",
+                   scan_freq="2412")
+
+    # try over_ds roaming to non-WPA-enabled AP
+    # if hostapd does not check hapd->wpa_auth internally, it will crash now.
+    dev[0].roam_over_ds(apdev[1]['bssid'], fail_test=True)
-- 
1.9.1

More information about the Hostap mailing list