mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-17 18:30:24 +00:00
41 lines
1.7 KiB
Diff
41 lines
1.7 KiB
Diff
|
From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
|
||
|
Date: Tue, 11 May 2021 20:02:45 +0200
|
||
|
Subject: [PATCH] cfg80211: mitigate A-MSDU aggregation attacks
|
||
|
|
||
|
Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the
|
||
|
destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP)
|
||
|
header, and if so dropping the complete A-MSDU frame. This mitigates
|
||
|
known attacks, although new (unknown) aggregation-based attacks may
|
||
|
remain possible.
|
||
|
|
||
|
This defense works because in A-MSDU aggregation injection attacks, a
|
||
|
normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means
|
||
|
the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042
|
||
|
header. In other words, the destination MAC address of the first A-MSDU
|
||
|
subframe contains the start of an RFC1042 header during an aggregation
|
||
|
attack. We can detect this and thereby prevent this specific attack.
|
||
|
For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi
|
||
|
Through Frame Aggregation and Fragmentation".
|
||
|
|
||
|
Note that for kernel 4.9 and above this patch depends on "mac80211:
|
||
|
properly handle A-MSDUs that start with a rfc1042 header". Otherwise
|
||
|
this patch has no impact and attacks will remain possible.
|
||
|
|
||
|
Cc: stable@vger.kernel.org
|
||
|
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
|
||
|
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||
|
---
|
||
|
|
||
|
--- a/net/wireless/util.c
|
||
|
+++ b/net/wireless/util.c
|
||
|
@@ -775,6 +775,9 @@ void ieee80211_amsdu_to_8023s(struct sk_
|
||
|
remaining = skb->len - offset;
|
||
|
if (subframe_len > remaining)
|
||
|
goto purge;
|
||
|
+ /* mitigate A-MSDU aggregation injection attacks */
|
||
|
+ if (ether_addr_equal(eth.h_dest, rfc1042_header))
|
||
|
+ goto purge;
|
||
|
|
||
|
offset += sizeof(struct ethhdr);
|
||
|
last = remaining <= subframe_len + padding;
|