| Message ID | 20201019160113.350912-1-Mathy.Vanhoef@kuleuven.be |
|---|---|
| State | New |
| Headers | show |
| Series | mac80211: fix regression where EAPOL frames were sent in plaintext | expand |
Hi, On 2020-10-19 18:01, Mathy Vanhoef wrote: > When sending EAPOL frames via NL80211 they are treated as injected > frames in mac80211. Due to commit 1df2bdba528b ("mac80211: never drop > injected frames even if normally not allowed") these injected frames > were not assigned a sta context in the function ieee80211_tx_dequeue, > causing certain wireless network cards to always send EAPOL frames in > plaintext. This may cause compatibility issues with some clients or > APs, which for instance can cause the group key handshake to fail and > in turn would cause the station to get disconnected. > > This commit fixes this regression by assigning a sta context in > ieee80211_tx_dequeue to injected frames as well. > > Note that sending EAPOL frames in plaintext is not a security issue > since they contain their own encryption and authentication protection. > > Fixes: 1df2bdba528b ("mac80211: never drop injected frames even if normally not allowed") > Reported-by: Thomas Deutschmann <whissi@gentoo.org> > Tested-by: Christian Hesse <list@eworm.de> > Tested-by: Thomas Deutschmann <whissi@gentoo.org> > Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> > --- > net/mac80211/tx.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c > index 8ba10a48d..55b41167a 100644 > --- a/net/mac80211/tx.c > +++ b/net/mac80211/tx.c > @@ -3619,13 +3619,14 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw, > tx.skb = skb; > tx.sdata = vif_to_sdata(info->control.vif); > > - if (txq->sta && !(info->flags & IEEE80211_TX_CTL_INJECTED)) { > + if (txq->sta) { > tx.sta = container_of(txq->sta, struct sta_info, sta); > /* > * Drop unicast frames to unauthorised stations unless they are > - * EAPOL frames from the local station. > + * injected frames or EAPOL frames from the local station. > */ > - if (unlikely(ieee80211_is_data(hdr->frame_control) && > + if (unlikely(!(info->flags & IEEE80211_TX_CTL_INJECTED) && > + ieee80211_is_data(hdr->frame_control) && > !ieee80211_vif_is_mesh(&tx.sdata->vif) && > tx.sdata->vif.type != NL80211_IFTYPE_OCB && > !is_multicast_ether_addr(hdr->addr1) && > Can we please get this applied to linux-5.10 and linux-5.9? Is there anything left to do where I can help with? Thanks!
On Sun, 08 Nov 2020 22:01:51 +0100 Johannes Berg wrote: > On Sun, 2020-11-08 at 20:34 +0100, Thomas Deutschmann wrote: > > > > > > Can we please get this applied to linux-5.10 and linux-5.9? > > It's tagged for that, so once it enters mainline will get picked up. > Should be soon now, I assume. It should be in mainline since Thu, FWIW, so it should be part of 5.10-rc3 and the next crop of stable kernels.
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index 8ba10a48d..55b41167a 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -3619,13 +3619,14 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw, tx.skb = skb; tx.sdata = vif_to_sdata(info->control.vif); - if (txq->sta && !(info->flags & IEEE80211_TX_CTL_INJECTED)) { + if (txq->sta) { tx.sta = container_of(txq->sta, struct sta_info, sta); /* * Drop unicast frames to unauthorised stations unless they are - * EAPOL frames from the local station. + * injected frames or EAPOL frames from the local station. */ - if (unlikely(ieee80211_is_data(hdr->frame_control) && + if (unlikely(!(info->flags & IEEE80211_TX_CTL_INJECTED) && + ieee80211_is_data(hdr->frame_control) && !ieee80211_vif_is_mesh(&tx.sdata->vif) && tx.sdata->vif.type != NL80211_IFTYPE_OCB && !is_multicast_ether_addr(hdr->addr1) &&
When sending EAPOL frames via NL80211 they are treated as injected frames in mac80211. Due to commit 1df2bdba528b ("mac80211: never drop injected frames even if normally not allowed") these injected frames were not assigned a sta context in the function ieee80211_tx_dequeue, causing certain wireless network cards to always send EAPOL frames in plaintext. This may cause compatibility issues with some clients or APs, which for instance can cause the group key handshake to fail and in turn would cause the station to get disconnected. This commit fixes this regression by assigning a sta context in ieee80211_tx_dequeue to injected frames as well. Note that sending EAPOL frames in plaintext is not a security issue since they contain their own encryption and authentication protection. Fixes: 1df2bdba528b ("mac80211: never drop injected frames even if normally not allowed") Reported-by: Thomas Deutschmann <whissi@gentoo.org> Tested-by: Christian Hesse <list@eworm.de> Tested-by: Thomas Deutschmann <whissi@gentoo.org> Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> --- net/mac80211/tx.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)