Page MenuHomeFreeBSD

net80211: validate control frame TA/RA before further processing
ClosedPublic

Authored by adrian on Mar 30 2025, 12:08 AM.
Referenced Files
Unknown Object (File)
Sat, Oct 25, 4:36 AM
Unknown Object (File)
Fri, Oct 24, 5:20 PM
Unknown Object (File)
Sun, Oct 19, 9:21 AM
Unknown Object (File)
Sun, Oct 19, 3:50 AM
Unknown Object (File)
Sat, Oct 18, 4:08 AM
Unknown Object (File)
Fri, Oct 10, 10:57 PM
Unknown Object (File)
Sep 20 2025, 8:03 AM
Unknown Object (File)
Sep 17 2025, 10:54 PM

Details

Summary

An earlier commit relaxed the TA/RA rules around control frames
to fix other issues, however it now results in control frames
not specifically from a known node / to us to be handled in the control
path.

Specifically, rtwn(4) RTL8812/RTL8821 NICs are currently passing BARs
from the AP TA to any destination to us; which is tripping up BAW
tracking and causing traffic hangs.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 63211
Build 60095: arc lint + arc unit

Event Timeline

adrian added reviewers: wireless, jrtc27.
adrian added a project: wireless.
adrian added inline comments.
sys/net80211/ieee80211_adhoc.c
1055

I should migrate the ic_printf() calls to if_printf() like I did above.

(also we really should have a ieee80211_ic_printf() and ieee80211_vap_printf(), and _log() too, to make portability easier, sigh.)

bz requested changes to this revision.Mar 30 2025, 12:29 AM
bz added a subscriber: bz.
bz added inline comments.
sys/net80211/ieee80211.c
2751

add the "int subtype" as argument; all callers have it.

2754

Can we save this and just expand it in the one use case?

2759

I would argue this should be a KASSERT; if you get there without it being a ctrl frame we are screwed.

2764

false

2767
switch (subtype) {
case IEEE80211_FC0_SUBTYPE_CTS:
case IEEE80211_FC0_SUBTYPE_ACK:
     /* No TA. */
     break;
default:
     /* XXX check TA here; log on error; return false on error. Feel free to leave as a comment for now. */
     break;
}
sys/net80211/ieee80211_adhoc.c
1053

Move wh into the if() block to keep it local; don't initialise if it may never be used.

1054

No space after !

1055

I think we need a shorted "internal" prefix other than ieee80211 for non-standard things. Or at least call it net80211_foo; I know I am 20 years late with that but ...

vap_printf() instead of adding more if_printf I would prefer for sure.

#define vap_printf(vap, fmt, ...)      if_printf(vap->iv_ifp, fmt, ##__VA_ARGS__)

And then make a full pass over all if_printf so that one only remains, just this one ...

1055

I'd also suggest to move the printf into your function as once you start checking TA there as well, you won't know anymore which one failed.

sys/net80211/ieee80211_hostap.c
2425

! no space;

next line indent

This revision now requires changes to proceed.Mar 30 2025, 12:29 AM

clean ups; feedback from bz

(still have a bunch more to do)

What do y'all think about defining calls to vap->iv_recv_ctl() as receiving "only frames from a known node (where possible), destined to this vap MAC address", so the filtering can be done /before/ the call to vap->iv_recv_ctl() ?

I think that was the intended / previous behaviour of this, before all the various monitor modes, hybrid modes, etc popped up.

What do y'all think about defining calls to vap->iv_recv_ctl() as receiving "only frames from a known node (where possible), destined to this vap MAC address", so the filtering can be done /before/ the call to vap->iv_recv_ctl() ?

I think that was the intended / previous behaviour of this, before all the various monitor modes, hybrid modes, etc popped up.

I assume it's a 1:1; given you so nicely factored it out into a function the only question is where is error handling easier but I think what you are saying makes sense so please go ahead and move them.

sys/net80211/ieee80211.c
2757

if you do this do it before you need it. You have returns before that.

2762

With the KASSERT the if() has become useless.

sys/net80211/ieee80211.c
2762

With the KASSERT the if() has become useless.

No, because KASSERT()s aren't compiled in when INVARIANTS isn't enabled. We still need to handle the error case gracefully otherwise it becomes undefined behaviour.

migrate the check to before vap->iv_recv_ctl() is called

adrian added inline comments.
sys/net80211/ieee80211_adhoc.c
1055

I think we need a shorted "internal" prefix other than ieee80211 for non-standard things. Or at least call it net80211_foo; I know I am 20 years late with that but ...

vap_printf() instead of adding more if_printf I would prefer for sure.

#define vap_printf(vap, fmt, ...)      if_printf(vap->iv_ifp, fmt, ##__VA_ARGS__)

And then make a full pass over all if_printf so that one only remains, just this one ...

I'll add this as another specific clean-up to do once I've landed these diffs.

.. and when you're OK with the timing too, as it could make general merging a pain. :-)

sys/net80211/ieee80211_adhoc.c
1055

👍 Merging is fine; it'll be net80211 internal so could even be merged; need to see anyway what we do about some MFCs for 14 at some point... but leave that for another day too. &

sys/net80211/ieee80211.c
2762

The reason KASSERTs are compiled out is to optimise the code, but if you want to have an explicit check in the code anyway regardless then it serves no purpose, you might as well do if (...) panic(...) and save the weird "treat as both assertion and graceful error".

sys/net80211/ieee80211.c
2762

I don't ENTIRELY like it either. I think it's worth thinking of some better ways to abstract this out in net80211 so we can do graceful error handling and print out warnings / panic where needed.

In any case I'm not fussed about this, I'm much more worried about making sure that BARs and other control frames destined to this node and from a valid sender MAC are verified.

sys/net80211/ieee80211.c
2762

We have NASSERT at work for this...

sys/net80211/ieee80211.c
2781

Should this be IF_LLADDR(vap->iv_ifp) or vap->iv_myaddr?

It looks like ieee80211_freebsd.c:wlan_iflladdr() copies the LLADDR into vap->iv_myaddr. And thus maybe we shouldn't be using IF_LLADDR anywhere?

more updates from bz/jrtc27

@jrtc27 would you mind testing this and do some dtrace probing to make sure ieee80211_recv_bar() is only called when there's a BAR specifically for you? And it's still actually getting called? I'm super paranoid about actually breaking /all/ control traffic now. :-)

My home network APs don't send BARs. I know FreeBSD's ath(4) AP will send BARs, so I'll go create a test case or two that forcibly does BARs, but i'll be a few days before I can get all of that together.

adrian marked an inline comment as not done.

@jrtc27 would you mind testing this and do some dtrace probing to make sure ieee80211_recv_bar() is only called when there's a BAR specifically for you? And it's still actually getting called? I'm super paranoid about actually breaking /all/ control traffic now. :-)

My home network APs don't send BARs. I know FreeBSD's ath(4) AP will send BARs, so I'll go create a test case or two that forcibly does BARs, but i'll be a few days before I can get all of that together.

I can try to do that tomorrow (and pick up testing the input errors for protected networks issue).

Any plans to push this further?

sys/net80211/ieee80211.c
2762

I read the KASSERT as "I cannot end up here with it not being a CTL frame". It's documentation for most.
If you add the if() afterwards you basically say "I can violate my [asserted] terms here".

In other words what I am trying to say: make sure your callers ensure you cannot get there without a CTL frame.

2781

Every IF_LLADDR you can save is a win.

sys/net80211/ieee80211.c
2762

What's NASSERT()'s semantics?

I think we may wanna bring something like that into main

2781

Ok, once this commit lands, I'll go see if someone wants to do a quick pass over IF_LLADDR() and replace it with vap->iv_myaddr!

This revision was not accepted when it landed; it landed in state Needs Review.Apr 25 2025, 5:39 AM
This revision was automatically updated to reflect the committed changes.