FreeBSD Bugzilla – Attachment 225222 Details for
Bug 256120
[net80211] [patch]: prevent plaintext injecting using cloaked A-MSDUs
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch: git diff file
0003-net80211-prevent-CVE-2020-26144-regarding-EAPOL-A-MS.patch (text/plain), 7.56 KB, created by
Mathy
on 2021-05-24 13:19:38 UTC
(
hide
)
Description:
patch: git diff file
Filename:
MIME Type:
Creator:
Mathy
Created:
2021-05-24 13:19:38 UTC
Size:
7.56 KB
patch
obsolete
>From 67c753cb0b7611b689d3d0e200d2b1bbe9b28a80 Mon Sep 17 00:00:00 2001 >From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> >Date: Mon, 24 May 2021 17:02:30 +0400 >Subject: [PATCH 3/3] net80211: prevent CVE-2020-26144 regarding EAPOL/A-MSDUs > >Address CVE-2020-26144 (accepting plaintext A-MSDU frames that start >with an RFC1042 header with EtherType EAPOL). This is done by only >accepting EAPOL packets that are included in a non-aggregated 802.11 >frames. > >Note that before the FragAttack patches, FreeBSD also only accepted >EAPOL frames that are sent in a non-aggregated 802.11 frame due to >bugs in processing EAPOL packets inside A-MSDUs. In other words, >compatibility with legitimate devices remains the same. >--- > sys/net80211/ieee80211_adhoc.c | 16 ++++++++++------ > sys/net80211/ieee80211_hostap.c | 16 ++++++++++------ > sys/net80211/ieee80211_sta.c | 16 ++++++++++------ > sys/net80211/ieee80211_wds.c | 16 ++++++++++------ > 4 files changed, 40 insertions(+), 24 deletions(-) > >diff --git a/sys/net80211/ieee80211_adhoc.c b/sys/net80211/ieee80211_adhoc.c >index e2164bbb46a..cd0181bddbc 100644 >--- a/sys/net80211/ieee80211_adhoc.c >+++ b/sys/net80211/ieee80211_adhoc.c >@@ -571,7 +571,8 @@ adhoc_input(struct ieee80211_node *ni, struct mbuf *m, > IEEE80211_NODE_STAT(ni, rx_decap); > goto err; > } >- eh = mtod(m, struct ether_header *); >+ if (!(qos & IEEE80211_QOS_AMSDU)) >+ eh = mtod(m, struct ether_header *); > if (!ieee80211_node_is_authorized(ni)) { > /* > * Deny any non-PAE frames received prior to >@@ -581,11 +582,13 @@ adhoc_input(struct ieee80211_node *ni, struct mbuf *m, > * the port is not marked authorized by the > * authenticator until the handshake has completed. > */ >- if (eh->ether_type != htons(ETHERTYPE_PAE)) { >+ if (eh == NULL || >+ eh->ether_type != htons(ETHERTYPE_PAE)) { > IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, >- eh->ether_shost, "data", >- "unauthorized port: ether type 0x%x len %u", >- eh->ether_type, m->m_pkthdr.len); >+ ni->ni_macaddr, "data", >+ "unauthorized or unknown port: ether type 0x%x len %u", >+ eh == NULL ? -1 : eh->ether_type, >+ m->m_pkthdr.len); > vap->iv_stats.is_rx_unauth++; > IEEE80211_NODE_STAT(ni, rx_unauth); > goto err; >@@ -598,7 +601,8 @@ adhoc_input(struct ieee80211_node *ni, struct mbuf *m, > if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && > ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && > (is_hw_decrypted == 0) && >- eh->ether_type != htons(ETHERTYPE_PAE)) { >+ (eh == NULL || >+ eh->ether_type != htons(ETHERTYPE_PAE))) { > /* > * Drop unencrypted frames. > */ >diff --git a/sys/net80211/ieee80211_hostap.c b/sys/net80211/ieee80211_hostap.c >index 75fa1c0f7b3..d44d7f60c24 100644 >--- a/sys/net80211/ieee80211_hostap.c >+++ b/sys/net80211/ieee80211_hostap.c >@@ -757,7 +757,8 @@ hostap_input(struct ieee80211_node *ni, struct mbuf *m, > IEEE80211_NODE_STAT(ni, rx_decap); > goto err; > } >- eh = mtod(m, struct ether_header *); >+ if (!(qos & IEEE80211_QOS_AMSDU)) >+ eh = mtod(m, struct ether_header *); > if (!ieee80211_node_is_authorized(ni)) { > /* > * Deny any non-PAE frames received prior to >@@ -767,11 +768,13 @@ hostap_input(struct ieee80211_node *ni, struct mbuf *m, > * the port is not marked authorized by the > * authenticator until the handshake has completed. > */ >- if (eh->ether_type != htons(ETHERTYPE_PAE)) { >+ if (eh == NULL || >+ eh->ether_type != htons(ETHERTYPE_PAE)) { > IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, >- eh->ether_shost, "data", >- "unauthorized port: ether type 0x%x len %u", >- eh->ether_type, m->m_pkthdr.len); >+ ni->ni_macaddr, "data", >+ "unauthorized or unknown port: ether type 0x%x len %u", >+ eh == NULL ? -1 : eh->ether_type, >+ m->m_pkthdr.len); > vap->iv_stats.is_rx_unauth++; > IEEE80211_NODE_STAT(ni, rx_unauth); > goto err; >@@ -784,7 +787,8 @@ hostap_input(struct ieee80211_node *ni, struct mbuf *m, > if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && > ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && > (is_hw_decrypted == 0) && >- eh->ether_type != htons(ETHERTYPE_PAE)) { >+ (eh == NULL || >+ eh->ether_type != htons(ETHERTYPE_PAE))) { > /* > * Drop unencrypted frames. > */ >diff --git a/sys/net80211/ieee80211_sta.c b/sys/net80211/ieee80211_sta.c >index 60a5ea10055..1c4bf187969 100644 >--- a/sys/net80211/ieee80211_sta.c >+++ b/sys/net80211/ieee80211_sta.c >@@ -840,7 +840,8 @@ sta_input(struct ieee80211_node *ni, struct mbuf *m, > IEEE80211_NODE_STAT(ni, rx_decap); > goto err; > } >- eh = mtod(m, struct ether_header *); >+ if (!(qos & IEEE80211_QOS_AMSDU)) >+ eh = mtod(m, struct ether_header *); > if (!ieee80211_node_is_authorized(ni)) { > /* > * Deny any non-PAE frames received prior to >@@ -850,11 +851,13 @@ sta_input(struct ieee80211_node *ni, struct mbuf *m, > * the port is not marked authorized by the > * authenticator until the handshake has completed. > */ >- if (eh->ether_type != htons(ETHERTYPE_PAE)) { >+ if (eh == NULL || >+ eh->ether_type != htons(ETHERTYPE_PAE)) { > IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, >- eh->ether_shost, "data", >- "unauthorized port: ether type 0x%x len %u", >- eh->ether_type, m->m_pkthdr.len); >+ ni->ni_macaddr, "data", >+ "unauthorized or unknown port: ether type 0x%x len %u", >+ eh == NULL ? -1 : eh->ether_type, >+ m->m_pkthdr.len); > vap->iv_stats.is_rx_unauth++; > IEEE80211_NODE_STAT(ni, rx_unauth); > goto err; >@@ -867,7 +870,8 @@ sta_input(struct ieee80211_node *ni, struct mbuf *m, > if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && > ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && > (is_hw_decrypted == 0) && >- eh->ether_type != htons(ETHERTYPE_PAE)) { >+ (eh == NULL || >+ eh->ether_type != htons(ETHERTYPE_PAE))) { > /* > * Drop unencrypted frames. > */ >diff --git a/sys/net80211/ieee80211_wds.c b/sys/net80211/ieee80211_wds.c >index f88871ca4ae..a3bd3bd19a4 100644 >--- a/sys/net80211/ieee80211_wds.c >+++ b/sys/net80211/ieee80211_wds.c >@@ -634,7 +634,8 @@ wds_input(struct ieee80211_node *ni, struct mbuf *m, > IEEE80211_NODE_STAT(ni, rx_decap); > goto err; > } >- eh = mtod(m, struct ether_header *); >+ if (!(qos & IEEE80211_QOS_AMSDU)) >+ eh = mtod(m, struct ether_header *); > if (!ieee80211_node_is_authorized(ni)) { > /* > * Deny any non-PAE frames received prior to >@@ -644,11 +645,13 @@ wds_input(struct ieee80211_node *ni, struct mbuf *m, > * the port is not marked authorized by the > * authenticator until the handshake has completed. > */ >- if (eh->ether_type != htons(ETHERTYPE_PAE)) { >+ if (eh == NULL || >+ eh->ether_type != htons(ETHERTYPE_PAE)) { > IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, >- eh->ether_shost, "data", >- "unauthorized port: ether type 0x%x len %u", >- eh->ether_type, m->m_pkthdr.len); >+ ni->ni_macaddr, "data", >+ "unauthorized or unknown port: ether type 0x%x len %u", >+ eh == NULL ? -1 : eh->ether_type, >+ m->m_pkthdr.len); > vap->iv_stats.is_rx_unauth++; > IEEE80211_NODE_STAT(ni, rx_unauth); > goto err; >@@ -661,7 +664,8 @@ wds_input(struct ieee80211_node *ni, struct mbuf *m, > if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && > ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && > (is_hw_decrypted == 0) && >- eh->ether_type != htons(ETHERTYPE_PAE)) { >+ (eh == NULL || >+ eh->ether_type != htons(ETHERTYPE_PAE))) { > /* > * Drop unencrypted frames. > */ >-- >2.31.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=225222">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 256120
: 225222