3 files changed, 151 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2025-24912-01.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2025-24912-01.patch
new file mode 100644
index 0000000000..36660b5880
--- /dev/null
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2025-24912-01.patch
@@ -0,0 +1,79 @@
+From 726432d7622cc0088ac353d073b59628b590ea44 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 25 Jan 2025 11:21:16 +0200
+Subject: [PATCH] RADIUS: Drop pending request only when accepting the response
+The case of an invalid authenticator in a RADIUS response could imply
+that the response is not from the correct RADIUS server and as such,
+such a response should be discarded without changing internal state for
+the pending request. The case of an unknown response (RADIUS_RX_UNKNOWN)
+is somewhat more complex since it could have been indicated before
+validating the authenticator. In any case, it seems better to change the
+state for the pending request only when we have fully accepted the
+response.
+Allowing the internal state of pending RADIUS request to change based on
+responses that are not fully validation could have allow at least a
+theoretical DoS attack if an attacker were to have means for injecting
+RADIUS messages to the network using the IP address of the real RADIUS
+server and being able to do so more quickly than the real server and
+with the matching identifier from the request header (i.e., either by
+flooding 256 responses quickly or by having means to capture the RADIUS
+request). These should not really be realistic options in a properly
+protected deployment, but nevertheless it is good to be more careful in
+processing RADIUS responses.
+Remove a pending RADIUS request from the internal list only when having
+fully accepted a matching RADIUS response, i.e., after one of the
+registered handlers has confirmed that the authenticator is valid and
+processing of the response has succeeded.
+Signed-off-by: Jouni Malinen <j@w1.fi>
+CVE: CVE-2025-24912
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=726432d7622cc0088ac353d073b59628b590ea44]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/radius/radius_client.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+diff --git a/src/radius/radius_client.c b/src/radius/radius_client.c
+index 2a7f36170..7909b29a7 100644
+--- a/src/radius/radius_client.c
+++ b/src/radius/radius_client.c
+@@ -1259,13 +1259,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+                       roundtrip / 100, roundtrip % 100);
+        rconf->round_trip_time = roundtrip;
+ 
+-       /* Remove ACKed RADIUS packet from retransmit list */
+-       if (prev_req)
+-               prev_req->next = req->next;
+-       else
+-               radius->msgs = req->next;
+-       radius->num_msgs--;
+-
+        for (i = 0; i < num_handlers; i++) {
+                RadiusRxResult res;
+                res = handlers[i].handler(msg, req->msg, req->shared_secret,
+@@ -1276,6 +1269,13 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+                        radius_msg_free(msg);
+                        /* fall through */
+                case RADIUS_RX_QUEUED:
+                       /* Remove ACKed RADIUS packet from retransmit list */
+                       if (prev_req)
+                               prev_req->next = req->next;
+                       else
+                               radius->msgs = req->next;
+                       radius->num_msgs--;
+
+                        radius_client_msg_free(req);
+                        return;
+                case RADIUS_RX_INVALID_AUTHENTICATOR:
+@@ -1297,7 +1297,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+                       msg_type, hdr->code, hdr->identifier,
+                       invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
+                       "");
+-       radius_client_msg_free(req);
+ 
+  fail:
+        radius_msg_free(msg);
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2025-24912-02.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2025-24912-02.patch
new file mode 100644
index 0000000000..add2e47048
--- /dev/null
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2025-24912-02.patch
@@ -0,0 +1,70 @@
+From 339a334551ca911187cc870f4f97ef08e11db109 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <quic_jouni@quicinc.com>
+Date: Wed, 5 Feb 2025 19:23:39 +0200
+Subject: [PATCH] RADIUS: Fix pending request dropping
+A recent change to this moved the place where the processed RADIUS
+request was removed from the pending list to happen after the message
+handler had been called. This did not take into account possibility of
+the handler adding a new pending request in the list and the prev_req
+pointer not necessarily pointing to the correct entry anymore. As such,
+some of the pending requests could have been lost and that would result
+in not being able to process responses to those requests and also, to a
+memory leak.
+Fix this by determining prev_req at the point when the pending request
+is being removed, i.e., after the handler function has already added a
+new entry.
+Fixes: 726432d7622c ("RADIUS: Drop pending request only when accepting the response")
+Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
+CVE: CVE-2025-24912
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=339a334551ca911187cc870f4f97ef08e11db109]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/radius/radius_client.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+diff --git a/src/radius/radius_client.c b/src/radius/radius_client.c
+index 7909b29a7..d4faa7936 100644
+--- a/src/radius/radius_client.c
+++ b/src/radius/radius_client.c
+@@ -1099,7 +1099,7 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+        struct radius_hdr *hdr;
+        struct radius_rx_handler *handlers;
+        size_t num_handlers, i;
+-       struct radius_msg_list *req, *prev_req;
+       struct radius_msg_list *req, *prev_req, *r;
+        struct os_reltime now;
+        struct hostapd_radius_server *rconf;
+        int invalid_authenticator = 0;
+@@ -1224,7 +1224,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+                break;
+        }
+ 
+-       prev_req = NULL;
+        req = radius->msgs;
+        while (req) {
+                /* TODO: also match by src addr:port of the packet when using
+@@ -1236,7 +1235,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+                    hdr->identifier)
+                        break;
+ 
+-               prev_req = req;
+                req = req->next;
+        }
+ 
+@@ -1270,6 +1268,12 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+                        /* fall through */
+                case RADIUS_RX_QUEUED:
+                        /* Remove ACKed RADIUS packet from retransmit list */
+                       prev_req = NULL;
+                       for (r = radius->msgs; r; r = r->next) {
+                               if (r == req)
+                                       break;
+                               prev_req = r;
+                       }
+                        if (prev_req)
+                                prev_req->next = req->next;
+                        else
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.11.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.11.bb
index daaf2dcd55..a6f7122847 100644
--- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.11.bb
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.11.bb
@@ -12,6 +12,8 @@ SRC_URI = " \
    file://defconfig \
    file://init \
    file://hostapd.service \
+    file://CVE-2025-24912-01.patch \
+    file://CVE-2025-24912-02.patch \
 "

diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2025-24912-01.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2025-24912-01.patch new file mode 100644 index 0000000000..36660b5880 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2025-24912-01.patch
@@ -0,0 +1,79 @@
		1	From 726432d7622cc0088ac353d073b59628b590ea44 Mon Sep 17 00:00:00 2001
		2	From: Jouni Malinen <j@w1.fi>
		3	Date: Sat, 25 Jan 2025 11:21:16 +0200
		4	Subject: [PATCH] RADIUS: Drop pending request only when accepting the response
		5
		6	The case of an invalid authenticator in a RADIUS response could imply
		7	that the response is not from the correct RADIUS server and as such,
		8	such a response should be discarded without changing internal state for
		9	the pending request. The case of an unknown response (RADIUS_RX_UNKNOWN)
		10	is somewhat more complex since it could have been indicated before
		11	validating the authenticator. In any case, it seems better to change the
		12	state for the pending request only when we have fully accepted the
		13	response.
		14
		15	Allowing the internal state of pending RADIUS request to change based on
		16	responses that are not fully validation could have allow at least a
		17	theoretical DoS attack if an attacker were to have means for injecting
		18	RADIUS messages to the network using the IP address of the real RADIUS
		19	server and being able to do so more quickly than the real server and
		20	with the matching identifier from the request header (i.e., either by
		21	flooding 256 responses quickly or by having means to capture the RADIUS
		22	request). These should not really be realistic options in a properly
		23	protected deployment, but nevertheless it is good to be more careful in
		24	processing RADIUS responses.
		25
		26	Remove a pending RADIUS request from the internal list only when having
		27	fully accepted a matching RADIUS response, i.e., after one of the
		28	registered handlers has confirmed that the authenticator is valid and
		29	processing of the response has succeeded.
		30
		31	Signed-off-by: Jouni Malinen <j@w1.fi>
		32
		33	CVE: CVE-2025-24912
		34	Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=726432d7622cc0088ac353d073b59628b590ea44]
		35	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		36	---
		37	src/radius/radius_client.c \| 15 +++++++--------
		38	1 file changed, 7 insertions(+), 8 deletions(-)
		39
		40	diff --git a/src/radius/radius_client.c b/src/radius/radius_client.c
		41	index 2a7f36170..7909b29a7 100644
		42	--- a/src/radius/radius_client.c
		43	+++ b/src/radius/radius_client.c
		44	@@ -1259,13 +1259,6 @@ static void radius_client_receive(int sock, void eloop_ctx, void sock_ctx)
		45	roundtrip / 100, roundtrip % 100);
		46	rconf->round_trip_time = roundtrip;
		47
		48	- /* Remove ACKed RADIUS packet from retransmit list */
		49	- if (prev_req)
		50	- prev_req->next = req->next;
		51	- else
		52	- radius->msgs = req->next;
		53	- radius->num_msgs--;
		54	-
		55	for (i = 0; i < num_handlers; i++) {
		56	RadiusRxResult res;
		57	res = handlers[i].handler(msg, req->msg, req->shared_secret,
		58	@@ -1276,6 +1269,13 @@ static void radius_client_receive(int sock, void eloop_ctx, void sock_ctx)
		59	radius_msg_free(msg);
		60	/* fall through */
		61	case RADIUS_RX_QUEUED:
		62	+ /* Remove ACKed RADIUS packet from retransmit list */
		63	+ if (prev_req)
		64	+ prev_req->next = req->next;
		65	+ else
		66	+ radius->msgs = req->next;
		67	+ radius->num_msgs--;
		68	+
		69	radius_client_msg_free(req);
		70	return;
		71	case RADIUS_RX_INVALID_AUTHENTICATOR:
		72	@@ -1297,7 +1297,6 @@ static void radius_client_receive(int sock, void eloop_ctx, void sock_ctx)
		73	msg_type, hdr->code, hdr->identifier,
		74	invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
		75	"");
		76	- radius_client_msg_free(req);
		77
		78	fail:
		79	radius_msg_free(msg);


diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2025-24912-02.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2025-24912-02.patch new file mode 100644 index 0000000000..add2e47048 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2025-24912-02.patch
@@ -0,0 +1,70 @@
		1	From 339a334551ca911187cc870f4f97ef08e11db109 Mon Sep 17 00:00:00 2001
		2	From: Jouni Malinen <quic_jouni@quicinc.com>
		3	Date: Wed, 5 Feb 2025 19:23:39 +0200
		4	Subject: [PATCH] RADIUS: Fix pending request dropping
		5
		6	A recent change to this moved the place where the processed RADIUS
		7	request was removed from the pending list to happen after the message
		8	handler had been called. This did not take into account possibility of
		9	the handler adding a new pending request in the list and the prev_req
		10	pointer not necessarily pointing to the correct entry anymore. As such,
		11	some of the pending requests could have been lost and that would result
		12	in not being able to process responses to those requests and also, to a
		13	memory leak.
		14
		15	Fix this by determining prev_req at the point when the pending request
		16	is being removed, i.e., after the handler function has already added a
		17	new entry.
		18
		19	Fixes: 726432d7622c ("RADIUS: Drop pending request only when accepting the response")
		20	Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
		21
		22	CVE: CVE-2025-24912
		23	Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=339a334551ca911187cc870f4f97ef08e11db109]
		24	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		25	---
		26	src/radius/radius_client.c \| 10 +++++++---
		27	1 file changed, 7 insertions(+), 3 deletions(-)
		28
		29	diff --git a/src/radius/radius_client.c b/src/radius/radius_client.c
		30	index 7909b29a7..d4faa7936 100644
		31	--- a/src/radius/radius_client.c
		32	+++ b/src/radius/radius_client.c
		33	@@ -1099,7 +1099,7 @@ static void radius_client_receive(int sock, void eloop_ctx, void sock_ctx)
		34	struct radius_hdr *hdr;
		35	struct radius_rx_handler *handlers;
		36	size_t num_handlers, i;
		37	- struct radius_msg_list req, prev_req;
		38	+ struct radius_msg_list req, prev_req, *r;
		39	struct os_reltime now;
		40	struct hostapd_radius_server *rconf;
		41	int invalid_authenticator = 0;
		42	@@ -1224,7 +1224,6 @@ static void radius_client_receive(int sock, void eloop_ctx, void sock_ctx)
		43	break;
		44	}
		45
		46	- prev_req = NULL;
		47	req = radius->msgs;
		48	while (req) {
		49	/* TODO: also match by src addr:port of the packet when using
		50	@@ -1236,7 +1235,6 @@ static void radius_client_receive(int sock, void eloop_ctx, void sock_ctx)
		51	hdr->identifier)
		52	break;
		53
		54	- prev_req = req;
		55	req = req->next;
		56	}
		57
		58	@@ -1270,6 +1268,12 @@ static void radius_client_receive(int sock, void eloop_ctx, void sock_ctx)
		59	/* fall through */
		60	case RADIUS_RX_QUEUED:
		61	/* Remove ACKed RADIUS packet from retransmit list */
		62	+ prev_req = NULL;
		63	+ for (r = radius->msgs; r; r = r->next) {
		64	+ if (r == req)
		65	+ break;
		66	+ prev_req = r;
		67	+ }
		68	if (prev_req)
		69	prev_req->next = req->next;
		70	else


diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.11.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.11.bb index daaf2dcd55..a6f7122847 100644 --- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.11.bb +++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.11.bb
@@ -12,6 +12,8 @@ SRC_URI = " \
12	file://defconfig \	12	file://defconfig \
13	file://init \	13	file://init \
14	file://hostapd.service \	14	file://hostapd.service \
		15	file://CVE-2025-24912-01.patch \
		16	file://CVE-2025-24912-02.patch \
15	"	17	"
16		18
17		19