mac80211: backport upstream fixes for FragAttacks
[openwrt/openwrt.git] / package / kernel / mac80211 / patches / subsys / 384-mac80211-drop-A-MSDUs-on-old-ciphers.patch
1 From: Johannes Berg <johannes.berg@intel.com>
2 Date: Tue, 11 May 2021 20:02:46 +0200
3 Subject: [PATCH] mac80211: drop A-MSDUs on old ciphers
4
5 With old ciphers (WEP and TKIP) we shouldn't be using A-MSDUs
6 since A-MSDUs are only supported if we know that they are, and
7 the only practical way for that is HT support which doesn't
8 support old ciphers.
9
10 However, we would normally accept them anyway. Since we check
11 the MMIC before deaggregating A-MSDUs, and the A-MSDU bit in
12 the QoS header is not protected in TKIP (or WEP), this enables
13 attacks similar to CVE-2020-24588. To prevent that, drop A-MSDUs
14 completely with old ciphers.
15
16 Cc: stable@vger.kernel.org
17 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
18 ---
19
20 --- a/net/mac80211/rx.c
21 +++ b/net/mac80211/rx.c
22 @@ -6,7 +6,7 @@
23 * Copyright 2007-2010 Johannes Berg <johannes@sipsolutions.net>
24 * Copyright 2013-2014 Intel Mobile Communications GmbH
25 * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
26 - * Copyright (C) 2018-2020 Intel Corporation
27 + * Copyright (C) 2018-2021 Intel Corporation
28 */
29
30 #include <linux/jiffies.h>
31 @@ -2753,6 +2753,23 @@ ieee80211_rx_h_amsdu(struct ieee80211_rx
32 if (is_multicast_ether_addr(hdr->addr1))
33 return RX_DROP_UNUSABLE;
34
35 + if (rx->key) {
36 + /*
37 + * We should not receive A-MSDUs on pre-HT connections,
38 + * and HT connections cannot use old ciphers. Thus drop
39 + * them, as in those cases we couldn't even have SPP
40 + * A-MSDUs or such.
41 + */
42 + switch (rx->key->conf.cipher) {
43 + case WLAN_CIPHER_SUITE_WEP40:
44 + case WLAN_CIPHER_SUITE_WEP104:
45 + case WLAN_CIPHER_SUITE_TKIP:
46 + return RX_DROP_UNUSABLE;
47 + default:
48 + break;
49 + }
50 + }
51 +
52 return __ieee80211_rx_h_amsdu(rx, 0);
53 }
54