linux/net/wireless
Mathy Vanhoef 2b8a1fee34 cfg80211: mitigate A-MSDU aggregation attacks
Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the
destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP)
header, and if so dropping the complete A-MSDU frame. This mitigates
known attacks, although new (unknown) aggregation-based attacks may
remain possible.

This defense works because in A-MSDU aggregation injection attacks, a
normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means
the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042
header. In other words, the destination MAC address of the first A-MSDU
subframe contains the start of an RFC1042 header during an aggregation
attack. We can detect this and thereby prevent this specific attack.
For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi
Through Frame Aggregation and Fragmentation".

Note that for kernel 4.9 and above this patch depends on "mac80211:
properly handle A-MSDUs that start with a rfc1042 header". Otherwise
this patch has no impact and attacks will remain possible.

Cc: stable@vger.kernel.org
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
Link: https://lore.kernel.org/r/20210511200110.25d93176ddaf.I9e265b597f2cd23eb44573f35b625947b386a9de@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2021-05-11 20:13:13 +02:00
..
certs
.gitignore .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
ap.c
chan.c cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
core.c Networking changes for 5.13. 2021-04-29 11:57:23 -07:00
core.h cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
debugfs.c cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
debugfs.h
ethtool.c cfg80211: check wiphy driver existence for drvinfo report 2020-02-07 12:53:26 +01:00
ibss.c cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
Kconfig cfg80211: select CONFIG_CRC32 2021-01-05 15:50:36 -08:00
lib80211_crypt_ccmp.c lib80211: use crypto API ccm(aes) transform for CCMP processing 2019-07-26 13:22:47 +02:00
lib80211_crypt_tkip.c mm, treewide: rename kzfree() to kfree_sensitive() 2020-08-07 11:33:22 -07:00
lib80211_crypt_wep.c mm, treewide: rename kzfree() to kfree_sensitive() 2020-08-07 11:33:22 -07:00
lib80211.c lib80211: Remove unused macro DRV_NAME 2020-09-18 11:53:00 +02:00
Makefile wireless: Skip directory when generating certificates 2019-05-14 10:27:57 +02:00
mesh.c cfg80211/mac80211: add mesh_param "mesh_nolearn" to skip path discovery 2020-07-31 09:24:23 +02:00
mlme.c cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
nl80211.c Networking changes for 5.13. 2021-04-29 11:57:23 -07:00
nl80211.h cfg80211: support immediate reconnect request hint 2020-12-11 13:20:05 +01:00
ocb.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
of.c
pmsr.c nl80211/cfg80211: add a flag to negotiate for LMR feedback in NDP ranging 2021-04-19 12:02:51 +02:00
radiotap.c wireless: radiotap: fix some kernel-doc 2020-09-28 13:53:05 +02:00
rdev-ops.h nl80211: add common API to configure SAR power limitations 2020-12-11 13:38:54 +01:00
reg.c cfg80211: regulatory: use DEFINE_SPINLOCK() for spinlock 2021-04-08 10:17:32 +02:00
reg.h cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
scan.c Another set of updates, all over the map: 2021-04-20 16:44:04 -07:00
sme.c cfg80211: remove WARN_ON() in cfg80211_sme_connect 2021-04-08 10:14:55 +02:00
sysfs.c cfg80211: remove unused callback 2021-02-12 08:52:25 +01:00
sysfs.h
trace.c
trace.h nl80211: add common API to configure SAR power limitations 2020-12-11 13:38:54 +01:00
util.c cfg80211: mitigate A-MSDU aggregation attacks 2021-05-11 20:13:13 +02:00
wext-compat.c wext: call cfg80211_set_encryption() with wiphy lock held 2021-01-28 19:10:57 +01:00
wext-compat.h treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
wext-core.c wext: fix NULL-ptr-dereference with cfg80211's lack of commit() 2021-01-26 11:59:42 +01:00
wext-priv.c
wext-proc.c
wext-sme.c cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
wext-spy.c