Page MenuHomeFreeBSD
Differential D30665

net80211: prevent plaintext injection by A-MSDU RFC1042/EAPOL frames
ClosedPublic
Actions

Authored by bz on Jun 6 2021, 10:38 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Sep 22, 7:49 AM
Unknown Object (File)
Fri, Sep 20, 6:47 AM
Unknown Object (File)
Sat, Sep 14, 1:05 PM
Unknown Object (File)
Fri, Sep 6, 7:51 AM
Unknown Object (File)
Wed, Sep 4, 10:19 AM
Unknown Object (File)
Sun, Sep 1, 12:01 AM
Unknown Object (File)
Aug 15 2024, 9:14 PM
Unknown Object (File)
Aug 11 2024, 7:55 AM
View All 50 Files
Subscribers
emaste
imp
melifaro
secteam

Details

Reviewers
None
Group Reviewers
wireless
Commits
rGffc19cf52da5: net80211: prevent plaintext injection by A-MSDU RFC1042/EAPOL frames
Summary

No longer accept plaintext A-MSDU frames that start with an RFC1042
header with EtherType EAPOL. This is done by only accepting EAPOL
packets that are included in non-aggregated 802.11 frames.

Note that before this patch, FreeBSD also only accepted EAPOL frames
that are sent in a non-aggregated 802.11 frame due to bugs in
processing EAPOL packets inside A-MSDUs. In other words,
compatibility with legitimate devices remains the same.

This relates to section 6.5 in the 2021 Usenix "FragAttacks" (Fragment
and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
paper.

Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
Security: CVE-2020-26144
PR: 256120

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 39755
Build 36644: arc lint + arc unit

Event Timeline

bz created this revision.Jun 6 2021, 10:38 PM
Herald added subscribers: melifaro, imp. · View Herald TranscriptJun 6 2021, 10:38 PM
bz requested review of this revision.Jun 6 2021, 10:38 PM
Harbormaster completed remote builds in B39755: Diff 90502.Jun 6 2021, 10:38 PM
bz edited the summary of this revision. (Show Details)Jun 6 2021, 10:41 PM

Please see PR for original description/comments; I did add the "else eh = NULL" bits here and wrapped the debug logging.

bz added a comment.Sep 29 2021, 1:01 PM

If no one has any (further) comments I'll commit these tomorrow morning (UTC).

emaste added a subscriber: emaste.Sep 29 2021, 1:15 PM

A minor comment inline but no objection to this patch.

sys/net80211/ieee80211_adhoc.c
590

I might take advantage of the recent >80 col style allowance to keep at least the main part of the message together (or, just break before "ether type" perhaps)

I could see someone upon encountering this message doing a grep for unauthorized or unknown.

And similar for other messages.

bz marked an inline comment as done.Sep 29 2021, 10:10 PM
bz added inline comments.
sys/net80211/ieee80211_adhoc.c
590

I was pondering this but I added func, LINE information to all of them in cb5c07649aa005abb1e847c2cd5f816d762efb93 so I think formatting/wrapping won't matter so much anymore on any of them.
Do you think I should still do?

This revision was not accepted when it landed; it landed in state Needs Review.Sep 30 2021, 2:56 PM
Closed by commit rGffc19cf52da5: net80211: prevent plaintext injection by A-MSDU RFC1042/EAPOL frames (authored by Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>, committed by bz). · Explain Why
This revision was automatically updated to reflect the committed changes.
bz marked an inline comment as done.
bz added a commit: rGffc19cf52da5: net80211: prevent plaintext injection by A-MSDU RFC1042/EAPOL frames.

Revision Contents
Changeset List

PathSize
sys/
net80211/
18 lines
18 lines
18 lines
18 lines

Diff 90502

View Options

sys/net80211/ieee80211_adhoc.c

Loading...
View Options

sys/net80211/ieee80211_hostap.c

Loading...
View Options

sys/net80211/ieee80211_sta.c

Loading...
View Options

sys/net80211/ieee80211_wds.c

Loading...