Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2342187ybz; Thu, 23 Apr 2020 16:22:28 -0700 (PDT) X-Google-Smtp-Source: APiQypK+ABynFqvCr0YTwt3cLZXLgtJe4w+KCvqjZHI9QuZj3Xb0b/IIHNc0A5Y+XYa3VBa+PVXp X-Received: by 2002:a17:907:2645:: with SMTP id ar5mr4831894ejc.75.1587684148257; Thu, 23 Apr 2020 16:22:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587684148; cv=none; d=google.com; s=arc-20160816; b=cyw98c0VOe9sIMoPoRsZIkoKdZZmsL49/Su89VMkCXotUqspVwUmmzcb2mOqBR7rfX GGrscxjBonoj2WOEJgC0DsgKiSnrMUggaNSKkfxtJ1SSfNa4qjTFsK71MyYjLB3gV1HR ah1GoFaYQ3hUfnflmk3bvGyQPVBtyV376AzL+Pscma0nS05ot7CW5Q/dTXDo0quObhCh DQTI62J+og54LbykTLcjFW5D5dQXIgfjQ+VEIqlgQyfR8X3TYkzmu0dUp9cJ+IbDeOtV +8byK6FlOEhCyWmY6DG30syGYFM1jjDH3rPxawBan1vTz93F3DCq+hIV8uh3iEF6Linj nehw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=uM8XaXtXFXI9l323aN9zxg2h5Ae619VMxFZDOW8Y/qs=; b=lQ1WtDQDjGh8QA2Afqvi3qZowNzD5VDKHza2t9en5JjK6/coa420M7WJH0YZFBdEdp IVt9FPSh7gb0NaiZM9xCyy7158I8QMJm1sv08MBp+vvJ8L3VAA4MeHEhw/tkNyfSG4f9 j0j1wFCfubizawioUwViGZmG/yuBS5yYiZmzmFsjhNpb9bxw/XIP58zWWd1Wxy0XLlBI b4rRm2id1R3z8M5OrZcUM9XK1ECgDvf/3O08Zezt632lfV75yDuYAdX5+obiEiKAYqzq Uaf4Ckt+Tdxow41qp3MGMf4Ptx4zGhLrPZ9lOaQUK7zrv1bUU2spUfniWgq0CVk4mtSG ym/w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 5si1947508edy.189.2020.04.23.16.22.04; Thu, 23 Apr 2020 16:22:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728846AbgDWXUs (ORCPT + 99 others); Thu, 23 Apr 2020 19:20:48 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:48628 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726062AbgDWXGd (ORCPT ); Thu, 23 Apr 2020 19:06:33 -0400 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jRkvI-0004ZO-0P; Fri, 24 Apr 2020 00:06:24 +0100 Received: from ben by deadeye with local (Exim 4.93) (envelope-from ) id 1jRkvH-00E6ej-Im; Fri, 24 Apr 2020 00:06:23 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, Denis Kirjanov , "Johannes Berg" , "Jouni Malinen" , "David S. Miller" Date: Fri, 24 Apr 2020 00:03:55 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 008/245] mac80211: Do not send Layer 2 Update frame before authorization In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.83-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Jouni Malinen commit 3e493173b7841259a08c5c8e5cbe90adb349da7e upstream. The Layer 2 Update frame is used to update bridges when a station roams to another AP even if that STA does not transmit any frames after the reassociation. This behavior was described in IEEE Std 802.11F-2003 as something that would happen based on MLME-ASSOCIATE.indication, i.e., before completing 4-way handshake. However, this IEEE trial-use recommended practice document was published before RSN (IEEE Std 802.11i-2004) and as such, did not consider RSN use cases. Furthermore, IEEE Std 802.11F-2003 was withdrawn in 2006 and as such, has not been maintained amd should not be used anymore. Sending out the Layer 2 Update frame immediately after association is fine for open networks (and also when using SAE, FT protocol, or FILS authentication when the station is actually authenticated by the time association completes). However, it is not appropriate for cases where RSN is used with PSK or EAP authentication since the station is actually fully authenticated only once the 4-way handshake completes after authentication and attackers might be able to use the unauthenticated triggering of Layer 2 Update frame transmission to disrupt bridge behavior. Fix this by postponing transmission of the Layer 2 Update frame from station entry addition to the point when the station entry is marked authorized. Similarly, send out the VLAN binding update only if the STA entry has already been authorized. Signed-off-by: Jouni Malinen Reviewed-by: Johannes Berg Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- net/mac80211/cfg.c | 11 +++-------- net/mac80211/sta_info.c | 4 ++++ 2 files changed, 7 insertions(+), 8 deletions(-) --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -1436,7 +1436,6 @@ static int ieee80211_add_station(struct struct sta_info *sta; struct ieee80211_sub_if_data *sdata; int err; - int layer2_update; if (params->vlan) { sdata = IEEE80211_DEV_TO_SUB_IF(params->vlan); @@ -1481,18 +1480,12 @@ static int ieee80211_add_station(struct if (!test_sta_flag(sta, WLAN_STA_TDLS_PEER)) rate_control_rate_init(sta); - layer2_update = sdata->vif.type == NL80211_IFTYPE_AP_VLAN || - sdata->vif.type == NL80211_IFTYPE_AP; - err = sta_info_insert_rcu(sta); if (err) { rcu_read_unlock(); return err; } - if (layer2_update) - cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr); - rcu_read_unlock(); return 0; @@ -1596,7 +1589,9 @@ static int ieee80211_change_station(stru atomic_inc(&sta->sdata->bss->num_mcast_sta); } - cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr); + if (sta->sta_state == IEEE80211_STA_AUTHORIZED) + cfg80211_send_layer2_update(sta->sdata->dev, + sta->sta.addr); } err = sta_apply_parameters(local, sta, params); --- a/net/mac80211/sta_info.c +++ b/net/mac80211/sta_info.c @@ -1666,6 +1666,10 @@ int sta_info_move_state(struct sta_info atomic_inc(&sta->sdata->bss->num_mcast_sta); set_bit(WLAN_STA_AUTHORIZED, &sta->_flags); } + if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN || + sta->sdata->vif.type == NL80211_IFTYPE_AP) + cfg80211_send_layer2_update(sta->sdata->dev, + sta->sta.addr); break; default: break;