• Mathy Vanhoef's avatar
    cfg80211: mitigate A-MSDU aggregation attacks · 2b8a1fee
    Mathy Vanhoef authored
    Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the
    destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP)
    header, and if so dropping the complete A-MSDU frame. This mitigates
    known attacks, although new (unknown) aggregation-based attacks may
    remain possible.
    
    This defense works because in A-MSDU aggregation injection attacks, a
    normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means
    the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042
    header. In other words, the destination MAC address of the first A-MSDU
    subframe contains the start of an RFC1042 header during an aggregation
    attack. We can detect this and thereby prevent this specific attack.
    For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi
    Through Frame Aggregation and Fragmentation".
    
    Note that for kernel 4.9 and above this patch depends on "mac80211:
    properly handle A-MSDUs that start with a rfc1042 header". Otherwise
    this patch has no impact and attacks will remain possible.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarMathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
    Link: https://lore.kernel.org/r/20210511200110.25d93176ddaf.I9e265b597f2cd23eb44573f35b625947b386a9de@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    2b8a1fee
util.c 53.7 KB