Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2880307pxj; Mon, 31 May 2021 13:30:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwnlVYutji0FuxWSEaaZmaakCKQyRqW6zUwpssQ6zKE6sRLJ2ss7oV5eCfRknaGoakexBRs X-Received: by 2002:a92:9411:: with SMTP id c17mr19896843ili.264.1622493007567; Mon, 31 May 2021 13:30:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622493007; cv=none; d=google.com; s=arc-20160816; b=MMw4AfRFAUcI0C9/Hr+I9mDYh19z1WOzaDyIx31LZiFKqIxSKUWUGjyeXD0bethP63 Eci5omtpenkw9nqwb3/IDKHuTmOqygG/BUPCk1oI/8J8SVVvjGQpfiLfevCNV5PV10Mg nlmc9T3QWKm0p8C7+Ha6CyjRPH/iu05JoxOJLvdUIQRN/gcJPixT5DcYLjKzGY0aEVqY A4fguYR5lwsi2UOGW6/66X/4Fc4xKppxpzQD7SDNCyBYFpAIQxC/Mhxri/zeAncVPM4p wFKkwpUbLkAtIdZ1vwmH8jKnzHRZNLoNJEVbk0AKgzfwqqK/Xt4UP/73gTxRMIIbJuQ8 AJNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=9MKsqGCw8Iy1mzISJGUQRTkAajUiXk5eQZ6zq9QaQGw=; b=RE6h+BZKyEiYFg9Q7bguslfRMXXfUcg/Cf5AjmtCgeW3tBMV3SzmgGEbg7o0QKHaDi B3ncAvcnsKhi/PxUc9/wLr+D/WvLobxEWzGEggkmgwsMImRna2YTyFmLq6GjBsZ/e9Rt 6WtMfeAS1P5/4ZaT8uO7z8Sm/ZSuiVnRyY6W+xi6Yy4bYtb/n0SlBywXWlRhZCbjuAn2 A57PuOwtTlkPNACu401lCkQ+M2a2B5IuLKCX3X1TjaFxXXuKkj0I1jB4VVb+8AUNufSu 8ZrFoH/mYgzQZVt9ZKBZdUW8jw2OSbxGPo3C1xCruNFcAFlHTth39iSYFdISsIletDjh zmUg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a7si14839131jat.120.2021.05.31.13.29.54; Mon, 31 May 2021 13:30:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232321AbhEaUat (ORCPT + 99 others); Mon, 31 May 2021 16:30:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38398 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232114AbhEaUaY (ORCPT ); Mon, 31 May 2021 16:30:24 -0400 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BDD68C06138A; Mon, 31 May 2021 13:28:42 -0700 (PDT) Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1lnoWe-000F0y-TE; Mon, 31 May 2021 22:28:40 +0200 From: Johannes Berg To: linux-wireless@vger.kernel.org Cc: stable@vger.kernel.org, Johannes Berg , Jouni Malinen Subject: [PATCH v4.4 09/10] mac80211: do not accept/forward invalid EAPOL frames Date: Mon, 31 May 2021 22:28:33 +0200 Message-Id: <20210531202834.179810-10-johannes@sipsolutions.net> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210531202834.179810-1-johannes@sipsolutions.net> References: <20210531202834.179810-1-johannes@sipsolutions.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Johannes Berg commit a8c4d76a8dd4fb9666fc8919a703d85fb8f44ed8 upstream. EAPOL frames are used for authentication and key management between the AP and each individual STA associated in the BSS. Those frames are not supposed to be sent by one associated STA to another associated STA (either unicast for broadcast/multicast). Similarly, in 802.11 they're supposed to be sent to the authenticator (AP) address. Since it is possible for unexpected EAPOL frames to result in misbehavior in supplicant implementations, it is better for the AP to not allow such cases to be forwarded to other clients either directly, or indirectly if the AP interface is part of a bridge. Accept EAPOL (control port) frames only if they're transmitted to the own address, or, due to interoperability concerns, to the PAE group address. Disable forwarding of EAPOL (or well, the configured control port protocol) frames back to wireless medium in all cases. Previously, these frames were accepted from fully authenticated and authorized stations and also from unauthenticated stations for one of the cases. Additionally, to avoid forwarding by the bridge, rewrite the PAE group address case to the local MAC address. Cc: stable@vger.kernel.org Co-developed-by: Jouni Malinen Signed-off-by: Jouni Malinen Link: https://lore.kernel.org/r/20210511200110.cb327ed0cabe.Ib7dcffa2a31f0913d660de65ba3c8aca75b1d10f@changeid Signed-off-by: Johannes Berg --- net/mac80211/rx.c | 34 ++++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 7f070b911b2a..1a7267448dc8 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -2141,13 +2141,13 @@ static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc) struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; /* - * Allow EAPOL frames to us/the PAE group address regardless - * of whether the frame was encrypted or not. + * Allow EAPOL frames to us/the PAE group address regardless of + * whether the frame was encrypted or not, and always disallow + * all other destination addresses for them. */ - if (ehdr->h_proto == rx->sdata->control_port_protocol && - (ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) || - ether_addr_equal(ehdr->h_dest, pae_group_addr))) - return true; + if (unlikely(ehdr->h_proto == rx->sdata->control_port_protocol)) + return ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) || + ether_addr_equal(ehdr->h_dest, pae_group_addr); if (ieee80211_802_1x_port_control(rx) || ieee80211_drop_unencrypted(rx, fc)) @@ -2176,6 +2176,7 @@ ieee80211_deliver_skb(struct ieee80211_rx_data *rx) if ((sdata->vif.type == NL80211_IFTYPE_AP || sdata->vif.type == NL80211_IFTYPE_AP_VLAN) && !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) && + ehdr->h_proto != rx->sdata->control_port_protocol && (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) { if (is_multicast_ether_addr(ehdr->h_dest)) { /* @@ -2228,9 +2229,30 @@ ieee80211_deliver_skb(struct ieee80211_rx_data *rx) #endif if (skb) { + struct ethhdr *ehdr = (void *)skb_mac_header(skb); + /* deliver to local stack */ skb->protocol = eth_type_trans(skb, dev); memset(skb->cb, 0, sizeof(skb->cb)); + + /* + * 802.1X over 802.11 requires that the authenticator address + * be used for EAPOL frames. However, 802.1X allows the use of + * the PAE group address instead. If the interface is part of + * a bridge and we pass the frame with the PAE group address, + * then the bridge will forward it to the network (even if the + * client was not associated yet), which isn't supposed to + * happen. + * To avoid that, rewrite the destination address to our own + * address, so that the authenticator (e.g. hostapd) will see + * the frame, but bridge won't forward it anywhere else. Note + * that due to earlier filtering, the only other address can + * be the PAE group address. + */ + if (unlikely(skb->protocol == sdata->control_port_protocol && + !ether_addr_equal(ehdr->h_dest, sdata->vif.addr))) + ether_addr_copy(ehdr->h_dest, sdata->vif.addr); + if (rx->napi) napi_gro_receive(rx->napi, skb); else -- 2.31.1