FreeBSD Bugzilla – Attachment 225220 Details for
Bug 256118
[net80211] [patch]: reject mixed plaintext/encrypted fragments
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch: git diff file
0001-net80211-reject-mixed-plaintext-encrypted-fragments.patch (text/plain), 5.98 KB, created by
Mathy
on 2021-05-24 13:12:58 UTC
(
hide
)
Description:
patch: git diff file
Filename:
MIME Type:
Creator:
Mathy
Created:
2021-05-24 13:12:58 UTC
Size:
5.98 KB
patch
obsolete
>From 15c496006baf388ba1174d94167a7ad3a31e9c38 Mon Sep 17 00:00:00 2001 >From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> >Date: Mon, 24 May 2021 15:21:30 +0400 >Subject: [PATCH 1/3] net80211: reject mixed plaintext/encrypted fragments > >--- > sys/net80211/ieee80211_adhoc.c | 2 +- > sys/net80211/ieee80211_hostap.c | 2 +- > sys/net80211/ieee80211_input.c | 20 +++++++++++++++++--- > sys/net80211/ieee80211_input.h | 2 +- > sys/net80211/ieee80211_mesh.c | 2 +- > sys/net80211/ieee80211_sta.c | 2 +- > sys/net80211/ieee80211_wds.c | 2 +- > 7 files changed, 23 insertions(+), 9 deletions(-) > >diff --git a/sys/net80211/ieee80211_adhoc.c b/sys/net80211/ieee80211_adhoc.c >index ea1519b3381..a23f138802d 100644 >--- a/sys/net80211/ieee80211_adhoc.c >+++ b/sys/net80211/ieee80211_adhoc.c >@@ -531,7 +531,7 @@ adhoc_input(struct ieee80211_node *ni, struct mbuf *m, > * Next up, any fragmentation. > */ > if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { >- m = ieee80211_defrag(ni, m, hdrspace); >+ m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); > if (m == NULL) { > /* Fragment dropped or frame not complete yet */ > goto out; >diff --git a/sys/net80211/ieee80211_hostap.c b/sys/net80211/ieee80211_hostap.c >index 16a3d97ae7f..15d42a68235 100644 >--- a/sys/net80211/ieee80211_hostap.c >+++ b/sys/net80211/ieee80211_hostap.c >@@ -719,7 +719,7 @@ hostap_input(struct ieee80211_node *ni, struct mbuf *m, > * Next up, any fragmentation. > */ > if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { >- m = ieee80211_defrag(ni, m, hdrspace); >+ m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); > if (m == NULL) { > /* Fragment dropped or frame not complete yet */ > goto out; >diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c >index aa557fc1ec2..9e2189c7e43 100644 >--- a/sys/net80211/ieee80211_input.c >+++ b/sys/net80211/ieee80211_input.c >@@ -170,7 +170,8 @@ ieee80211_input_mimo_all(struct ieee80211com *ic, struct mbuf *m) > * XXX should handle 3 concurrent reassemblies per-spec. > */ > struct mbuf * >-ieee80211_defrag(struct ieee80211_node *ni, struct mbuf *m, int hdrspace) >+ieee80211_defrag(struct ieee80211_node *ni, struct mbuf *m, int hdrspace, >+ int has_decrypted) > { > struct ieee80211vap *vap = ni->ni_vap; > struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); >@@ -189,6 +190,10 @@ ieee80211_defrag(struct ieee80211_node *ni, struct mbuf *m, int hdrspace) > if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) > return m; > >+ /* Temporarily set flag to remember if fragment was encrypted */ >+ if (has_decrypted) >+ wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; >+ > /* > * Remove frag to insure it doesn't get reaped by timer. > */ >@@ -219,10 +224,14 @@ ieee80211_defrag(struct ieee80211_node *ni, struct mbuf *m, int hdrspace) > > lwh = mtod(mfrag, struct ieee80211_frame *); > last_rxseq = le16toh(*(uint16_t *)lwh->i_seq); >- /* NB: check seq # and frag together */ >+ /* >+ * NB: check seq # and frag together. Also check that both >+ * fragments are plaintext or that both are encrypted. >+ * */ > if (rxseq == last_rxseq+1 && > IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) && >- IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { >+ IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2) && >+ !((wh->i_fc[1] ^ lwh->i_fc[1]) & IEEE80211_FC1_PROTECTED)) { > /* XXX clear MORE_FRAG bit? */ > /* track last seqnum and fragno */ > *(uint16_t *) lwh->i_seq = *(uint16_t *) wh->i_seq; >@@ -253,6 +262,11 @@ ieee80211_defrag(struct ieee80211_node *ni, struct mbuf *m, int hdrspace) > ni->ni_rxfrag[0] = mfrag; > mfrag = NULL; > } >+ /* Remember to clear protected flag that was temporariy set */ >+ if (mfrag != NULL) { >+ wh = mtod(mfrag, struct ieee80211_frame *); >+ wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; >+ } > return mfrag; > } > >diff --git a/sys/net80211/ieee80211_input.h b/sys/net80211/ieee80211_input.h >index 810dcbde797..8ec82eef736 100644 >--- a/sys/net80211/ieee80211_input.h >+++ b/sys/net80211/ieee80211_input.h >@@ -309,7 +309,7 @@ ieee80211_check_rxseq(struct ieee80211_node *ni, struct ieee80211_frame *wh, > void ieee80211_deliver_data(struct ieee80211vap *, > struct ieee80211_node *, struct mbuf *); > struct mbuf *ieee80211_defrag(struct ieee80211_node *, >- struct mbuf *, int); >+ struct mbuf *, int, int); > struct mbuf *ieee80211_realign(struct ieee80211vap *, struct mbuf *, size_t); > struct mbuf *ieee80211_decap(struct ieee80211vap *, struct mbuf *, int); > struct mbuf *ieee80211_decap1(struct mbuf *, int *); >diff --git a/sys/net80211/ieee80211_mesh.c b/sys/net80211/ieee80211_mesh.c >index 48a3590d0cf..63c207d7900 100644 >--- a/sys/net80211/ieee80211_mesh.c >+++ b/sys/net80211/ieee80211_mesh.c >@@ -1642,7 +1642,7 @@ mesh_input(struct ieee80211_node *ni, struct mbuf *m, > */ > hdrspace = ieee80211_hdrspace(ic, wh); > if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { >- m = ieee80211_defrag(ni, m, hdrspace); >+ m = ieee80211_defrag(ni, m, hdrspace, 0); > if (m == NULL) { > /* Fragment dropped or frame not complete yet */ > goto out; >diff --git a/sys/net80211/ieee80211_sta.c b/sys/net80211/ieee80211_sta.c >index 43dc8b6dfec..6d24eadc11a 100644 >--- a/sys/net80211/ieee80211_sta.c >+++ b/sys/net80211/ieee80211_sta.c >@@ -795,7 +795,7 @@ sta_input(struct ieee80211_node *ni, struct mbuf *m, > * Next up, any fragmentation. > */ > if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { >- m = ieee80211_defrag(ni, m, hdrspace); >+ m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); > if (m == NULL) { > /* Fragment dropped or frame not complete yet */ > goto out; >diff --git a/sys/net80211/ieee80211_wds.c b/sys/net80211/ieee80211_wds.c >index 8eaffcf8773..f59a92b992d 100644 >--- a/sys/net80211/ieee80211_wds.c >+++ b/sys/net80211/ieee80211_wds.c >@@ -594,7 +594,7 @@ wds_input(struct ieee80211_node *ni, struct mbuf *m, > * Next up, any fragmentation. > */ > if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { >- m = ieee80211_defrag(ni, m, hdrspace); >+ m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); > if (m == NULL) { > /* Fragment dropped or frame not complete yet */ > goto out; >-- >2.31.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=225220">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 256118
: 225220