2015-03-26 19:47:15

by michael-dev

Subject: [RFC] mac80211: check A-MSDU inner frame source address on AP interfaces.

When using WPA security, the station and thus the required key is
identified by its mac address when packets are received. So a
station usually cannot spoof its source mac address.

But when a station sends an A-MSDU frame, port control and crypto
is done using the outer mac address, while the packets delivered
and forwarded use the inner mac address.

IEEE 802.11-2012 mandates that the outer source mac address should
match the inner source address (section 8.3.2.2). For the
destination mac address, matching is not required (section 10.23.15).

So I was wondering whether some checking would be useful?

Signed-off-by: Michael Braun <[email protected]>
---
net/mac80211/rx.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 944bdc0..e34e0b2 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2023,6 +2023,12 @@ static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc)
ether_addr_equal(ehdr->h_dest, pae_group_addr)))
return true;

+ /* Do not allow source MAC spoofing */
+ if (rx->sdata && (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
+ rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
+ rx->sta && !ether_addr_equal(ehdr->h_source, rx->sta->sta.addr))
+ return false;
+
if (ieee80211_802_1x_port_control(rx) ||
ieee80211_drop_unencrypted(rx, fc))
return false;
--
1.9.1

2015-03-30 09:06:31

by Johannes Berg

Subject: Re: [RFC] mac80211: check A-MSDU inner frame source address on AP interfaces.

On Thu, 2015-03-26 at 20:40 +0100, Michael Braun wrote:
> When using WPA security, the station and thus the required key is
> identified by its mac address when packets are received. So a
> station usually cannot spoof its source mac address.
>
> But when a station sends an A-MSDU frame, port control and crypto
> is done using the outer mac address, while the packets delivered
> and forwarded use the inner mac address.
>
> IEEE 802.11-2012 mandates that the outer source mac address should
> match the inner source address (section 8.3.2.2). For the
> destination mac address, matching is not required (section 10.23.15).
>
> So I was wondering whether some checking would be useful?

Makes sense, but perhaps it should just be done in A-MSDU de-aggregation
in ieee80211_amsdu_to_8023s() so we can simply not even allocate the skb
for that frame if it's mismatched? It'd only be possible for those
callers who set has_80211_header=true, but mac80211 would still be
covered.

Alternatively, we could pass the TA into the function, and then check
against that.

johannes