• Johannes Berg's avatar
    mac80211: do not accept/forward invalid EAPOL frames · a8c4d76a
    Johannes Berg authored
    EAPOL frames are used for authentication and key management between the
    AP and each individual STA associated in the BSS. Those frames are not
    supposed to be sent by one associated STA to another associated STA
    (either unicast for broadcast/multicast).
    
    Similarly, in 802.11 they're supposed to be sent to the authenticator
    (AP) address.
    
    Since it is possible for unexpected EAPOL frames to result in misbehavior
    in supplicant implementations, it is better for the AP to not allow such
    cases to be forwarded to other clients either directly, or indirectly if
    the AP interface is part of a bridge.
    
    Accept EAPOL (control port) frames only if they're transmitted to the
    own address, or, due to interoperability concerns, to the PAE group
    address.
    
    Disable forwarding of EAPOL (or well, the configured control port
    protocol) frames back to wireless medium in all cases. Previously, these
    frames were accepted from fully authenticated and authorized stations
    and also from unauthenticated stations for one of the cases.
    
    Additionally, to avoid forwarding by the bridge, rewrite the PAE group
    address case to the local MAC address.
    
    Cc: stable@vger.kernel.org
    Co-developed-by: default avatarJouni Malinen <jouni@codeaurora.org>
    Signed-off-by: default avatarJouni Malinen <jouni@codeaurora.org>
    Link: https://lore.kernel.org/r/20210511200110.cb327ed0cabe.Ib7dcffa2a31f0913d660de65ba3c8aca75b1d10f@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    a8c4d76a
rx.c 137 KB