Startsida Utforska Hjälp
Registrera dig Logga in
OpenWrt
/
openwrt
spegling av https://github.com/openwrt/openwrt.git
2
0
Fork 0
Filer Ärenden 0 Wiki
Träd: 025bd93f36
Grenar Taggar
openwrt
/
package
/
kernel
/
mac80211
/
patches
/
subsys
/
388-mac80211-do-not-accept-forward-invalid-EAPOL-frames.patch

388-mac80211-do-not-accept-forward-invalid-EAPOL-frames.patch 4.0 KB
Historik

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394 
  1. From: Johannes Berg <[email protected]>
    2. 

  2. Date: Tue, 11 May 2021 20:02:50 +0200
    3. 

  3. Subject: [PATCH] mac80211: do not accept/forward invalid EAPOL frames
    4. 

  4. 

  5. EAPOL frames are used for authentication and key management between the
    6. 

  6. AP and each individual STA associated in the BSS. Those frames are not
    7. 

  7. supposed to be sent by one associated STA to another associated STA
    8. 

  8. (either unicast for broadcast/multicast).
    9. 

  9. 

  10. Similarly, in 802.11 they're supposed to be sent to the authenticator
    11. 

  11. (AP) address.
    12. 

  12. 

  13. Since it is possible for unexpected EAPOL frames to result in misbehavior
    14. 

  14. in supplicant implementations, it is better for the AP to not allow such
    15. 

  15. cases to be forwarded to other clients either directly, or indirectly if
    16. 

  16. the AP interface is part of a bridge.
    17. 

  17. 

  18. Accept EAPOL (control port) frames only if they're transmitted to the
    19. 

  19. own address, or, due to interoperability concerns, to the PAE group
    20. 

  20. address.
    21. 

  21. 

  22. Disable forwarding of EAPOL (or well, the configured control port
    23. 

  23. protocol) frames back to wireless medium in all cases. Previously, these
    24. 

  24. frames were accepted from fully authenticated and authorized stations
    25. 

  25. and also from unauthenticated stations for one of the cases.
    26. 

  26. 

  27. Additionally, to avoid forwarding by the bridge, rewrite the PAE group
    28. 

  28. address case to the local MAC address.
    29. 

  29. 

  30. Cc: [email protected]
    31. 

  31. Co-developed-by: Jouni Malinen <[email protected]>
    32. 

  32. Signed-off-by: Jouni Malinen <[email protected]>
    33. 

  33. Signed-off-by: Johannes Berg <[email protected]>
    34. 

  34. ---
    35. 

  35. 

  36. --- a/net/mac80211/rx.c
    37. 

  37. +++ b/net/mac80211/rx.c
    38. 

  38. @@ -2541,13 +2541,13 @@ static bool ieee80211_frame_allowed(stru
    39. 

  39.  	struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
    40. 

  40.  
    41. 

  41.  	/*
    42. 

  42. -	 * Allow EAPOL frames to us/the PAE group address regardless
    43. 

  43. -	 * of whether the frame was encrypted or not.
    44. 

  44. +	 * Allow EAPOL frames to us/the PAE group address regardless of
    45. 

  45. +	 * whether the frame was encrypted or not, and always disallow
    46. 

  46. +	 * all other destination addresses for them.
    47. 

  47.  	 */
    48. 

  48. -	if (ehdr->h_proto == rx->sdata->control_port_protocol &&
    49. 

  49. -	    (ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) ||
    50. 

  50. -	     ether_addr_equal(ehdr->h_dest, pae_group_addr)))
    51. 

  51. -		return true;
    52. 

  52. +	if (unlikely(ehdr->h_proto == rx->sdata->control_port_protocol))
    53. 

  53. +		return ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) ||
    54. 

  54. +		       ether_addr_equal(ehdr->h_dest, pae_group_addr);
    55. 

  55.  
    56. 

  56.  	if (ieee80211_802_1x_port_control(rx) ||
    57. 

  57.  	    ieee80211_drop_unencrypted(rx, fc))
    58. 

  58. @@ -2572,8 +2572,28 @@ static void ieee80211_deliver_skb_to_loc
    59. 

  59.  		cfg80211_rx_control_port(dev, skb, noencrypt);
    60. 

  60.  		dev_kfree_skb(skb);
    61. 

  61.  	} else {
    62. 

  62. +		struct ethhdr *ehdr = (void *)skb_mac_header(skb);
    63. 

  63. +
    64. 

  64.  		memset(skb->cb, 0, sizeof(skb->cb));
    65. 

  65.  
    66. 

  66. +		/*
    67. 

  67. +		 * 802.1X over 802.11 requires that the authenticator address
    68. 

  68. +		 * be used for EAPOL frames. However, 802.1X allows the use of
    69. 

  69. +		 * the PAE group address instead. If the interface is part of
    70. 

  70. +		 * a bridge and we pass the frame with the PAE group address,
    71. 

  71. +		 * then the bridge will forward it to the network (even if the
    72. 

  72. +		 * client was not associated yet), which isn't supposed to
    73. 

  73. +		 * happen.
    74. 

  74. +		 * To avoid that, rewrite the destination address to our own
    75. 

  75. +		 * address, so that the authenticator (e.g. hostapd) will see
    76. 

  76. +		 * the frame, but bridge won't forward it anywhere else. Note
    77. 

  77. +		 * that due to earlier filtering, the only other address can
    78. 

  78. +		 * be the PAE group address.
    79. 

  79. +		 */
    80. 

  80. +		if (unlikely(skb->protocol == sdata->control_port_protocol &&
    81. 

  81. +			     !ether_addr_equal(ehdr->h_dest, sdata->vif.addr)))
    82. 

  82. +			ether_addr_copy(ehdr->h_dest, sdata->vif.addr);
    83. 

  83. +
    84. 

  84.  		/* deliver to local stack */
    85. 

  85.  		if (rx->list)
    86. 

  86.  #if LINUX_VERSION_IS_GEQ(4,19,0)
    87. 

  87. @@ -2617,6 +2637,7 @@ ieee80211_deliver_skb(struct ieee80211_r
    88. 

  88.  	if ((sdata->vif.type == NL80211_IFTYPE_AP ||
    89. 

  89.  	     sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
    90. 

  90.  	    !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
    91. 

  91. +	    ehdr->h_proto != rx->sdata->control_port_protocol &&
    92. 

  92.  	    (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) {
    93. 

  93.  		if (is_multicast_ether_addr(ehdr->h_dest) &&
    94. 

  94.  		    ieee80211_vif_get_num_mcast_if(sdata) != 0) {
    95.