linux/net/mac80211
Johannes Berg 3018e947d7 mac80211: reject ToDS broadcast data frames
AP/AP_VLAN modes don't accept any real 802.11 multicast data
frames, but since they do need to accept broadcast management
frames the same is currently permitted for data frames. This
opens a security problem because such frames would be decrypted
with the GTK, and could even contain unicast L3 frames.

Since the spec says that ToDS frames must always have the BSSID
as the RA (addr1), reject any other data frames.

The problem was originally reported in "Predicting, Decrypting,
and Abusing WPA2/802.11 Group Keys" at usenix
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/vanhoef
and brought to my attention by Jouni.

Cc: stable@vger.kernel.org
Reported-by: Jouni Malinen <j@w1.fi>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
--
Dave, I didn't want to send you a new pull request for a single
commit yet again - can you apply this one patch as is?
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-20 15:37:46 -04:00
..
aes_ccm.c mac80211: move struct aead_req off the stack 2016-10-17 16:14:04 +02:00
aes_ccm.h mac80211: move struct aead_req off the stack 2016-10-17 16:14:04 +02:00
aes_cmac.c mac80211: aes-cmac: switch to shash CMAC driver 2017-02-08 09:19:33 +01:00
aes_cmac.h mac80211: aes-cmac: switch to shash CMAC driver 2017-02-08 09:19:33 +01:00
aes_gcm.c mac80211: move struct aead_req off the stack 2016-10-17 16:14:04 +02:00
aes_gcm.h mac80211: move struct aead_req off the stack 2016-10-17 16:14:04 +02:00
aes_gmac.c mac80211: move struct aead_req off the stack 2016-10-17 16:14:04 +02:00
aes_gmac.h mac80211: move struct aead_req off the stack 2016-10-17 16:14:04 +02:00
agg-rx.c mac80211: fix typo in debug print 2017-02-27 14:09:49 +01:00
agg-tx.c mac80211: reject TSPEC TIDs (TSIDs) for aggregation 2016-09-15 10:08:52 +02:00
cfg.c cfg80211: fix NAN bands definition 2017-02-09 15:17:30 +01:00
chan.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-01-17 15:19:37 -05:00
debug.h
debugfs_key.c mac80211: move TKIP TX IVs to public part of key struct 2016-02-24 09:04:38 +01:00
debugfs_key.h
debugfs_netdev.c mac80211: multicast to unicast conversion 2016-12-13 16:05:11 +01:00
debugfs_netdev.h
debugfs_sta.c mac80211: add back lost debugfs files 2017-02-07 10:40:50 +01:00
debugfs_sta.h
debugfs.c mac80211: check for allocation failure in debugfs code 2017-02-08 10:05:07 +01:00
debugfs.h
driver-ops.c mac80211: add offset_tsf driver op and use it for mesh 2016-09-30 13:45:44 +02:00
driver-ops.h mac80211: add offset_tsf driver op and use it for mesh 2016-09-30 13:45:44 +02:00
ethtool.c mac80211: move station statistics into sub-structs 2015-10-21 10:08:22 +02:00
fils_aead.c Some more updates: 2017-02-10 14:31:51 -05:00
fils_aead.h mac80211: FILS AEAD protection for station mode association frames 2016-10-27 16:03:25 +02:00
ht.c mac80211: limit the A-MSDU Tx based on peer's capabilities 2016-02-24 09:04:20 +01:00
ibss.c mac80211: fix CSA in IBSS mode 2017-02-09 15:18:24 +01:00
ieee80211_i.h average: change to declare precision, not factor 2017-03-02 08:32:46 +01:00
iface.c mac80211: unconditionally start new netdev queues with iTXQ support 2017-03-29 14:20:40 +02:00
Kconfig mac80211: fils_aead: Use crypto api CMAC shash rather than bare cipher 2017-02-08 09:19:17 +01:00
key.c mac80211: don't call drv_set_default_unicast_key() for VLANs 2016-12-13 15:57:59 +01:00
key.h mac80211: aes-cmac: switch to shash CMAC driver 2017-02-08 09:19:33 +01:00
led.c
led.h
main.c mac80211: initialize SMPS field in HT capabilities 2017-01-13 11:31:26 +01:00
Makefile Makefile: drop -D__CHECK_ENDIAN__ from cflags 2016-12-16 00:13:43 +02:00
mesh_hwmp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-09-23 06:46:57 -04:00
mesh_pathtbl.c mac80211: make mpath path fixing more robust 2016-09-12 12:27:14 +02:00
mesh_plink.c sched/headers: Prepare to use <linux/rcuupdate.h> instead of <linux/rculist.h> in <linux/sched.h> 2017-03-02 08:42:38 +01:00
mesh_ps.c
mesh_sync.c mac80211: Use appropriate name for functions and messages 2016-12-13 16:22:27 +01:00
mesh.c scripts/spelling.txt: add "swith" pattern and fix typo instances 2017-02-27 18:43:46 -08:00
mesh.h mac80211: Use appropriate name for functions and messages 2016-12-13 16:22:27 +01:00
michael.c
michael.h
mlme.c cfg80211: Pass new RSSI level in CQM RSSI notification 2017-02-08 10:43:40 +01:00
ocb.c mac80211: remove rx_stats.last_rx update after sta alloc 2016-04-06 13:18:15 +02:00
offchannel.c mac80211: fix CMD_FRAME for AP_VLAN 2016-10-12 09:19:12 +02:00
pm.c mac80211: flush delayed work when entering suspend 2017-02-27 14:00:26 +01:00
rate.c mac80211: don't try to sleep in rate_control_rate_init() 2017-01-24 16:31:54 +01:00
rate.h mac80211: remove sta_info debugfs sub-struct 2016-04-05 11:59:05 +02:00
rc80211_minstrel_debugfs.c mac80211: minstrel: store probability variance instead of standard deviation 2016-12-15 11:07:52 +01:00
rc80211_minstrel_ht_debugfs.c mac80211: minstrel: store probability variance instead of standard deviation 2016-12-15 11:07:52 +01:00
rc80211_minstrel_ht.c mac80211: minstrel_ht: remove obsolete #if for >= 3 streams 2016-12-15 11:07:53 +01:00
rc80211_minstrel_ht.h mac80211: minstrel_ht: move supported bitrate mask out of group data 2016-12-15 11:07:52 +01:00
rc80211_minstrel.c mac80211: minstrel: avoid port control frames for sampling 2016-12-15 11:07:53 +01:00
rc80211_minstrel.h mac80211: minstrel: make prob_ewma u16 instead of u32 2016-12-15 11:07:53 +01:00
rx.c mac80211: reject ToDS broadcast data frames 2017-04-20 15:37:46 -04:00
scan.c mac80211: Remove unused 'len' variable 2016-12-13 16:05:09 +01:00
spectmgmt.c mac80211: parse wide bandwidth channel switch IE with workaround 2016-07-06 14:55:04 +02:00
sta_info.c mac80211: shorten debug message 2017-02-27 14:09:26 +01:00
sta_info.h average: change to declare precision, not factor 2017-03-02 08:32:46 +01:00
status.c First round of fixes - details in the commits: 2017-03-01 15:08:34 -08:00
tdls.c mac80211: TDLS: don't require beaconing for AP BW 2016-08-30 08:03:41 +02:00
tkip.c mac80211: move TKIP TX IVs to public part of key struct 2016-02-24 09:04:38 +01:00
tkip.h mac80211: move TKIP TX IVs to public part of key struct 2016-02-24 09:04:38 +01:00
trace_msg.h
trace.c
trace.h cfg80211: fix NAN bands definition 2017-02-09 15:17:30 +01:00
tx.c mac80211: use helper function to access ieee802_1d_to_ac[] 2017-01-26 09:50:44 +01:00
util.c mac80211: validate new interface's beacon intervals 2016-10-27 09:18:07 +02:00
vht.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-01-17 15:19:37 -05:00
wep.c mac80211: Add RX flag to indicate ICV stripped 2017-01-12 10:15:18 +01:00
wep.h
wme.c mac80211: preserve more bits when building QoS header 2016-10-12 14:17:13 +02:00
wme.h
wpa.c mac80211: Add RX flag to indicate ICV stripped 2017-01-12 10:15:18 +01:00
wpa.h