Bug 256118 - [net80211] [patch]: reject mixed plaintext/encrypted fragments
Summary: [net80211] [patch]: reject mixed plaintext/encrypted fragments
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: wireless (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: Bjoern A. Zeeb
Depends on:
Reported: 2021-05-24 13:12 UTC by Mathy
Modified: 2021-06-06 22:43 UTC (History)
1 user (show)

See Also:

patch: git diff file (5.98 KB, patch)
2021-05-24 13:12 UTC, Mathy
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mathy 2021-05-24 13:12:58 UTC
Created attachment 225220 [details]
patch: git diff file

FreeBSD accepts fragmented 802.11 frames in a protected Wi-Fi network even when some of the fragments were not encrypted. This corresponds to CVE-2020-26147 of the "FragAttacks" research. For background see Section 6.3 in https://papers.mathyvanhoef.com/usenix2021.pdf

This vulnerability can be reproduced using the FragAttack test tool at https://github.com/vanhoefm/fragattacks with the test case "ping I,P,E" and/or "ping I,P,E" (the transmitted ping request should be rejected by the kernel).

The attached patches fixes this vulnerability. It was tested using a Belkin F5D8053 (run driver) in client mode. I'm not sure if I'm using the best way to track whether a fragment was encrypted, but it gets the job done with a low number of code changes.

FYI: I've submitted a similar patch to NetBSD: https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=56204
Comment 1 Bjoern A. Zeeb freebsd_committer 2021-06-06 22:43:14 UTC
Thanks for all the work and submitting the patches.

I have uploaded them to our review system (given they are public).
This one is here: