Page MenuHomeFreeBSD

net80211: prevent plaintext injection by A-MSDU RFC1042/EAPOL frames
Needs ReviewPublic

Authored by bz on Sun, Jun 6, 10:38 PM.


Group Reviewers

No longer accept plaintext A-MSDU frames that start with an RFC1042
header with EtherType EAPOL. This is done by only accepting EAPOL
packets that are included in non-aggregated 802.11 frames.

Note that before this patch, FreeBSD also only accepted EAPOL frames
that are sent in a non-aggregated 802.11 frame due to bugs in
processing EAPOL packets inside A-MSDUs. In other words,
compatibility with legitimate devices remains the same.

This relates to section 6.5 in the 2021 Usenix "FragAttacks" (Fragment
and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)

Submitted by: Mathy Vanhoef (Mathy.Vanhoef
Security: CVE-2020-26144
PR: 256120

Diff Detail

rS FreeBSD src repository - subversion
Lint OK
No Unit Test Coverage
Build Status
Buildable 39755
Build 36644: arc lint + arc unit

Event Timeline

bz requested review of this revision.Sun, Jun 6, 10:38 PM

Please see PR for original description/comments; I did add the "else eh = NULL" bits here and wrapped the debug logging.