Page MenuHomeFreeBSD

net80211: sanitize input for ieee80211_output()
ClosedPublic

Authored by avos on Nov 19 2017, 6:16 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Mar 7, 8:31 PM
Unknown Object (File)
Feb 21 2024, 4:16 AM
Unknown Object (File)
Jan 27 2024, 2:41 PM
Unknown Object (File)
Jan 7 2024, 7:57 PM
Unknown Object (File)
Dec 18 2023, 6:26 PM
Unknown Object (File)
Nov 24 2023, 4:09 PM
Unknown Object (File)
Sep 12 2023, 1:45 AM
Unknown Object (File)
Sep 7 2023, 4:44 AM
Subscribers

Details

Summary
  • Add some basic checks for i_fc* bits (ToDS, FromDS, MoreFrag, Protected); those are used / checked across various places in Tx path.
  • Mark injected 802.11 frame as encapsulated (just as it should be).
  • Classify 802.11 frame in a proper way (extract ether_type from LLC header for Data frames, use AC_BE queue for others (NoData / Management / Control).
  • Subtract header length from tx_bytes statistics (so it will correspond to the comment).
  • Use KASSERT for default case in DIR_MASK switch statement (all 4 values were explicitly checked, so it should not be emitted to the binary anyway).
Test Plan

Checked with RTL8188EU (AP) + Intel 6205 (STA).

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

sys/net80211/ieee80211_output.c
687 ↗(On Diff #35464)

Don't add a new assert in packet processing path - just log an error / counter and drop. Otherwise a future omission may turn it into a DoS.

avos added inline comments.
sys/net80211/ieee80211_output.c
687 ↗(On Diff #35464)

IMHO, that was not really needed - IEEE80211_FC1_DIR_MASK is 0x03 and all 4 possible values are checked before 'default' statement (which is mostly needed due to Wswitch-default (or something like that - I don't remember exactly) compiler warning category).

This revision was not accepted when it landed; it landed in state Needs Review.Dec 30 2017, 12:40 AM
This revision was automatically updated to reflect the committed changes.