Page MenuHomeFreeBSD

net80211: sanitize input for ieee80211_output()

Authored by avos on Nov 19 2017, 6:16 PM.


  • Add some basic checks for i_fc* bits (ToDS, FromDS, MoreFrag, Protected); those are used / checked across various places in Tx path.
  • Mark injected 802.11 frame as encapsulated (just as it should be).
  • Classify 802.11 frame in a proper way (extract ether_type from LLC header for Data frames, use AC_BE queue for others (NoData / Management / Control).
  • Subtract header length from tx_bytes statistics (so it will correspond to the comment).
  • Use KASSERT for default case in DIR_MASK switch statement (all 4 values were explicitly checked, so it should not be emitted to the binary anyway).
Test Plan

Checked with RTL8188EU (AP) + Intel 6205 (STA).

Diff Detail

rS FreeBSD src repository - subversion
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

687 ↗(On Diff #35464)

Don't add a new assert in packet processing path - just log an error / counter and drop. Otherwise a future omission may turn it into a DoS.

avos added inline comments.
687 ↗(On Diff #35464)

IMHO, that was not really needed - IEEE80211_FC1_DIR_MASK is 0x03 and all 4 possible values are checked before 'default' statement (which is mostly needed due to Wswitch-default (or something like that - I don't remember exactly) compiler warning category).

This revision was not accepted when it landed; it landed in state Needs Review.Dec 30 2017, 12:40 AM
This revision was automatically updated to reflect the committed changes.