wifi: mac80211: drop unprotected robust mgmt before 4-way-HS

When MFP is used, drop unprotected robust management frames also
before the 4-way handshake has been completed, i.e. no key has
been installed yet.

Signed-off-by: Alon Giladi <alon.giladi@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230619183718.cfbefddccd0c.Ife369dbb61c87e311ce15739d5b2b4763bfdfbae@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 6ebec32..1d2e7a6 100644 (file)
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2418,13 +2418,20 @@ static int ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
 
        if (rx->sta && test_sta_flag(rx->sta, WLAN_STA_MFP)) {
                if (unlikely(!ieee80211_has_protected(fc) &&
-                            ieee80211_is_unicast_robust_mgmt_frame(rx->skb) &&
-                            rx->key)) {
+                            ieee80211_is_unicast_robust_mgmt_frame(rx->skb))) {
                        if (ieee80211_is_deauth(fc) ||
-                           ieee80211_is_disassoc(fc))
+                           ieee80211_is_disassoc(fc)) {
+                               /*
+                                * Permit unprotected deauth/disassoc frames
+                                * during 4-way-HS (key is installed after HS).
+                                */
+                               if (!rx->key)
+                                       return 0;
+
                                cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
                                                             rx->skb->data,
                                                             rx->skb->len);
+                       }
                        return -EACCES;
                }
                /* BIP does not use Protected field, so need to check MMIE */