]> git.baikalelectronics.ru Git - kernel.git/commit
mac80211: do not accept/forward invalid EAPOL frames
authorJohannes Berg <johannes.berg@intel.com>
Tue, 11 May 2021 18:02:50 +0000 (20:02 +0200)
committerJohannes Berg <johannes.berg@intel.com>
Tue, 11 May 2021 18:14:20 +0000 (20:14 +0200)
commita8c4d76a8dd4fb9666fc8919a703d85fb8f44ed8
tree9742d6a9746ccf1787d53e9820e67d39a0623e24
parent7e44a0b597f04e67eee8cdcbe7ee706c6f5de38b
mac80211: do not accept/forward invalid EAPOL frames

EAPOL frames are used for authentication and key management between the
AP and each individual STA associated in the BSS. Those frames are not
supposed to be sent by one associated STA to another associated STA
(either unicast for broadcast/multicast).

Similarly, in 802.11 they're supposed to be sent to the authenticator
(AP) address.

Since it is possible for unexpected EAPOL frames to result in misbehavior
in supplicant implementations, it is better for the AP to not allow such
cases to be forwarded to other clients either directly, or indirectly if
the AP interface is part of a bridge.

Accept EAPOL (control port) frames only if they're transmitted to the
own address, or, due to interoperability concerns, to the PAE group
address.

Disable forwarding of EAPOL (or well, the configured control port
protocol) frames back to wireless medium in all cases. Previously, these
frames were accepted from fully authenticated and authorized stations
and also from unauthenticated stations for one of the cases.

Additionally, to avoid forwarding by the bridge, rewrite the PAE group
address case to the local MAC address.

Cc: stable@vger.kernel.org
Co-developed-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Link: https://lore.kernel.org/r/20210511200110.cb327ed0cabe.Ib7dcffa2a31f0913d660de65ba3c8aca75b1d10f@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
net/mac80211/rx.c