review.tizen.org Git - platform/kernel/linux-starfive.git/commit

author	Felix Fietkau <nbd@nbd.name>
	Thu, 13 May 2021 07:03:03 +0000 (09:03 +0200)
committer	Kalle Valo <kvalo@codeaurora.org>
	Sat, 15 May 2021 11:47:48 +0000 (14:47 +0300)
commit	2c2bdd2372afcfcf24fe11c65ebe3361b7e1cd9f
tree	b99bfc8c6693dc568fb06b17d32e43fce05c157d	tree \| snapshot
parent	509559c35bcd23d5a046624b225cb3e99a9f1481	commit \| diff

mt76: validate rx A-MSDU subframes

Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the
destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP)
header, and if so dropping the complete A-MSDU frame. This mitigates
known attacks, although new (unknown) aggregation-based attacks may
remain possible.

This defense works because in A-MSDU aggregation injection attacks, a
normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means
the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042
header. In other words, the destination MAC address of the first A-MSDU
subframe contains the start of an RFC1042 header during an aggregation
attack. We can detect this and thereby prevent this specific attack.
For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi
Through Frame Aggregation and Fragmentation".

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210513070303.20253-1-nbd@nbd.name