Bug 256120 - [net80211] [patch]: prevent plaintext injecting using cloaked A-MSDUs
Summary: [net80211] [patch]: prevent plaintext injecting using cloaked A-MSDUs
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: wireless (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: Bjoern A. Zeeb
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-24 13:19 UTC by Mathy
Modified: 2021-06-09 05:25 UTC (History)
2 users (show)

See Also:


Attachments
patch: git diff file (7.56 KB, patch)
2021-05-24 13:19 UTC, Mathy
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mathy 2021-05-24 13:19:38 UTC
Created attachment 225222 [details]
patch: git diff file

FreeBSD is vulnerable to CVE-2020-26144 of the "FragAttacks" findings. For background see Section 6.5 in https://papers.mathyvanhoef.com/usenix2021.pdf

This vulnerability can be reproduced using the FragAttack test tool at https://github.com/vanhoefm/fragattacks with the test case "eapol-amsdu-bad I,P" (the injected ping request should be rejected by the kernel).

The attached patches fixes this vulnerability. It was tested using a Belkin F5D8053 (run driver) in client mode.
Comment 1 Bjoern A. Zeeb freebsd_committer 2021-06-06 22:45:23 UTC
And lastly this one is at https://reviews.freebsd.org/D30665 .

For this one I did add "else eh = NULL" initializations;  I am not sure why there were no warnings turned into errors.