1From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 2From: Jouni Malinen <j@w1.fi> 3Date: Thu, 29 Aug 2019 11:52:04 +0300 4Subject: [PATCH] AP: Silently ignore management frame from unexpected source 5 address 6 7Do not process any received Management frames with unexpected/invalid SA 8so that we do not add any state for unexpected STA addresses or end up 9sending out frames to unexpected destination. This prevents unexpected 10sequences where an unprotected frame might end up causing the AP to send 11out a response to another device and that other device processing the 12unexpected response. 13 14In particular, this prevents some potential denial of service cases 15where the unexpected response frame from the AP might result in a 16connected station dropping its association. 17 18Signed-off-by: Jouni Malinen <j@w1.fi> 19 20Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> 21[Retrieved from: 22https://w1.fi/security/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch] 23--- 24 src/ap/drv_callbacks.c | 13 +++++++++++++ 25 src/ap/ieee802_11.c | 12 ++++++++++++ 26 2 files changed, 25 insertions(+) 27 28diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c 29index 31587685fe3b..34ca379edc3d 100644 30--- a/src/ap/drv_callbacks.c 31+++ b/src/ap/drv_callbacks.c 32@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, 33 "hostapd_notif_assoc: Skip event with no address"); 34 return -1; 35 } 36+ 37+ if (is_multicast_ether_addr(addr) || 38+ is_zero_ether_addr(addr) || 39+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { 40+ /* Do not process any frames with unexpected/invalid SA so that 41+ * we do not add any state for unexpected STA addresses or end 42+ * up sending out frames to unexpected destination. */ 43+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR 44+ " in received indication - ignore this indication silently", 45+ __func__, MAC2STR(addr)); 46+ return 0; 47+ } 48+ 49 random_add_randomness(addr, ETH_ALEN); 50 51 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, 52diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c 53index c85a28db44b7..e7065372e158 100644 54--- a/src/ap/ieee802_11.c 55+++ b/src/ap/ieee802_11.c 56@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, 57 fc = le_to_host16(mgmt->frame_control); 58 stype = WLAN_FC_GET_STYPE(fc); 59 60+ if (is_multicast_ether_addr(mgmt->sa) || 61+ is_zero_ether_addr(mgmt->sa) || 62+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { 63+ /* Do not process any frames with unexpected/invalid SA so that 64+ * we do not add any state for unexpected STA addresses or end 65+ * up sending out frames to unexpected destination. */ 66+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR 67+ " in received frame - ignore this frame silently", 68+ MAC2STR(mgmt->sa)); 69+ return 0; 70+ } 71+ 72 if (stype == WLAN_FC_STYPE_BEACON) { 73 handle_beacon(hapd, mgmt, len, fi); 74 return 1; 75-- 762.20.1 77 78