Page MenuHomeFreeBSD

net80211: sanitize input for ieee80211_output()
ClosedPublic

Authored by s3erios_gmail.com on Nov 19 2017, 6:16 PM.

Details

Summary
  • Add some basic checks for i_fc* bits (ToDS, FromDS, MoreFrag, Protected); those are used / checked across various places in Tx path.
  • Mark injected 802.11 frame as encapsulated (just as it should be).
  • Classify 802.11 frame in a proper way (extract ether_type from LLC header for Data frames, use AC_BE queue for others (NoData / Management / Control).
  • Subtract header length from tx_bytes statistics (so it will correspond to the comment).
  • Use KASSERT for default case in DIR_MASK switch statement (all 4 values were explicitly checked, so it should not be emitted to the binary anyway).
Test Plan

Checked with RTL8188EU (AP) + Intel 6205 (STA).

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

adrian added inline comments.Nov 19 2017, 11:42 PM
sys/net80211/ieee80211_output.c
687 ↗(On Diff #35464)

Don't add a new assert in packet processing path - just log an error / counter and drop. Otherwise a future omission may turn it into a DoS.

s3erios_gmail.com marked an inline comment as done.Dec 29 2017, 11:42 PM
s3erios_gmail.com added inline comments.
sys/net80211/ieee80211_output.c
687 ↗(On Diff #35464)

IMHO, that was not really needed - IEEE80211_FC1_DIR_MASK is 0x03 and all 4 possible values are checked before 'default' statement (which is mostly needed due to Wswitch-default (or something like that - I don't remember exactly) compiler warning category).

commit away! thanks!

This revision was not accepted when it landed; it landed in state Needs Review.Dec 30 2017, 12:40 AM
This revision was automatically updated to reflect the committed changes.