CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
	Sun, 6 Jun 2021 22:10:52 +0000 (22:10 +0000)
committer	Mark Johnston <markj@FreeBSD.org>
	Tue, 15 Mar 2022 17:39:02 +0000 (13:39 -0400)
commit	ae6d654f4fa167f473a40417479e607029670679
tree	0240944201b8551fbf3c88f997b7294fb9571c9b	tree \| snapshot
parent	d35c456500515b1b3e6f3be478da6be9869aa1af	commit \| diff

net80211: mitigation against A-MSDU design flaw

Mitigate A-MSDU injection attacks by detecting if the destination address
of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so
dropping the complete A-MSDU frame. This mitigates known attacks,
although new (unknown) aggregation-based attacks may remain possible.

This defense works because in A-MSDU aggregation injection attacks, a
normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means
the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042
header. In other words, the destination MAC address of the first A-MSDU
subframe contains the start of an RFC1042 header during an aggregation
attack. We can detect this and thereby prevent this specific attack.

This relates to section 7.2 in the 2021 Usenix "FragAttacks" (Fragment
and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
paper.

Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
Security: CVE-2020-24588
PR: 256119

(cherry picked from commit f024bdf1155f36d2d8c4caa533b66e4040c4c469)
(cherry picked from commit 41ca1d50a8657959df2009daa300dda56a090d5e)
(cherry picked from commit 76ee776f4d9f146f7a97ac9bab388c51a1c787c9)

Approved by: so
Security: FreeBSD-SA-22:02.wifi

sys/net80211/ieee80211_adhoc.c		diff \| blob \| history
sys/net80211/ieee80211_hostap.c		diff \| blob \| history
sys/net80211/ieee80211_input.c		diff \| blob \| history
sys/net80211/ieee80211_input.h		diff \| blob \| history
sys/net80211/ieee80211_sta.c		diff \| blob \| history
sys/net80211/ieee80211_wds.c		diff \| blob \| history