git.baikalelectronics.ru Git - kernel.git/commit

author	Johannes Berg <johannes.berg@intel.com>
	Tue, 11 May 2021 18:02:50 +0000 (20:02 +0200)
committer	Johannes Berg <johannes.berg@intel.com>
	Tue, 11 May 2021 18:14:20 +0000 (20:14 +0200)
commit	e5da28ed29990acbee78d3c637f424548b25c1d5
tree	9742d6a9746ccf1787d53e9820e67d39a0623e24	tree \| snapshot
parent	6eca1a198c0d2d0af59a7c5a96256ba40e5052d8	commit \| diff

mac80211: do not accept/forward invalid EAPOL frames

EAPOL frames are used for authentication and key management between the
AP and each individual STA associated in the BSS. Those frames are not
supposed to be sent by one associated STA to another associated STA
(either unicast for broadcast/multicast).

Similarly, in 802.11 they're supposed to be sent to the authenticator
(AP) address.

Since it is possible for unexpected EAPOL frames to result in misbehavior
in supplicant implementations, it is better for the AP to not allow such
cases to be forwarded to other clients either directly, or indirectly if
the AP interface is part of a bridge.

Accept EAPOL (control port) frames only if they're transmitted to the
own address, or, due to interoperability concerns, to the PAE group
address.

Disable forwarding of EAPOL (or well, the configured control port
protocol) frames back to wireless medium in all cases. Previously, these
frames were accepted from fully authenticated and authorized stations
and also from unauthenticated stations for one of the cases.

Additionally, to avoid forwarding by the bridge, rewrite the PAE group
address case to the local MAC address.

Cc: stable@vger.kernel.org
Co-developed-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Link: https://lore.kernel.org/r/20210511200110.cb327ed0cabe.Ib7dcffa2a31f0913d660de65ba3c8aca75b1d10f@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>