| 12345678910111213141516171819202122232425262728293031323334353637383940 |
- From: Mathy Vanhoef <[email protected]>
- Date: Tue, 11 May 2021 20:02:45 +0200
- Subject: [PATCH] cfg80211: mitigate A-MSDU aggregation attacks
- Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the
- destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP)
- header, and if so dropping the complete A-MSDU frame. This mitigates
- known attacks, although new (unknown) aggregation-based attacks may
- remain possible.
- This defense works because in A-MSDU aggregation injection attacks, a
- normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means
- the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042
- header. In other words, the destination MAC address of the first A-MSDU
- subframe contains the start of an RFC1042 header during an aggregation
- attack. We can detect this and thereby prevent this specific attack.
- For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi
- Through Frame Aggregation and Fragmentation".
- Note that for kernel 4.9 and above this patch depends on "mac80211:
- properly handle A-MSDUs that start with a rfc1042 header". Otherwise
- this patch has no impact and attacks will remain possible.
- Cc: [email protected]
- Signed-off-by: Mathy Vanhoef <[email protected]>
- Signed-off-by: Johannes Berg <[email protected]>
- ---
- --- a/net/wireless/util.c
- +++ b/net/wireless/util.c
- @@ -775,6 +775,9 @@ void ieee80211_amsdu_to_8023s(struct sk_
- remaining = skb->len - offset;
- if (subframe_len > remaining)
- goto purge;
- + /* mitigate A-MSDU aggregation injection attacks */
- + if (ether_addr_equal(eth.h_dest, rfc1042_header))
- + goto purge;
-
- offset += sizeof(struct ethhdr);
- last = remaining <= subframe_len + padding;
|
