Ignore group-addressed SA Query frames

These frames are used for verifying that a specific SA and protected link is in functional state between two devices. The IEEE 802.11 standard defines only a case that uses individual MAC address as the destination. While there is no explicit rule on the receiver to ignore other cases, it seems safer to make sure group-addressed frames do not end up resulting in undesired behavior. As such, drop such frames instead of interpreting them as valid SA Query Request/Response. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-16 11:34:50 +02:00 · 2021-02-16 11:34:50 +02:00 · a826ff2d95
commit a826ff2d95
parent d314213f6c
4 changed files with 15 additions and 3 deletions
--- a/src/ap/ieee802_11_shared.c
+++ b/src/ap/ieee802_11_shared.c
@ -241,6 +241,12 @@ void ieee802_11_sa_query_action(struct hostapd_data *hapd,
 			   (unsigned long) len);
 		return;
 	}
+	if (is_multicast_ether_addr(mgmt->da)) {
+		wpa_printf(MSG_DEBUG,
+			   "IEEE 802.11: Ignore group-addressed SA Query frame (A1=" MACSTR " A2=" MACSTR ")",
+			   MAC2STR(mgmt->da), MAC2STR(mgmt->sa));
+		return;
+	}

 	sta = ap_get_sta(hapd, sa);

--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@ -4165,7 +4165,7 @@ static void wpas_event_rx_mgmt_action(struct wpa_supplicant *wpa_s,

 #ifdef CONFIG_SME
 	if (category == WLAN_ACTION_SA_QUERY) {
-		sme_sa_query_rx(wpa_s, mgmt->sa, payload, plen);
+		sme_sa_query_rx(wpa_s, mgmt->da, mgmt->sa, payload, plen);
 		return;
 	}
 #endif /* CONFIG_SME */
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@ -2883,11 +2883,17 @@ static void sme_process_sa_query_response(struct wpa_supplicant *wpa_s,
 }


-void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *sa,
+void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *da, const u8 *sa,
 		     const u8 *data, size_t len)
 {
 	if (len < 1 + WLAN_SA_QUERY_TR_ID_LEN)
 		return;
+	if (is_multicast_ether_addr(da)) {
+		wpa_printf(MSG_DEBUG,
+			   "IEEE 802.11: Ignore group-addressed SA Query frame (A1=" MACSTR " A2=" MACSTR ")",
+			   MAC2STR(da), MAC2STR(sa));
+		return;
+	}

 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query frame from "
 		MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]);
--- a/wpa_supplicant/sme.h
+++ b/wpa_supplicant/sme.h
@ -29,7 +29,7 @@ void sme_event_disassoc(struct wpa_supplicant *wpa_s,
 void sme_event_unprot_disconnect(struct wpa_supplicant *wpa_s, const u8 *sa,
 				 const u8 *da, u16 reason_code);
 void sme_event_ch_switch(struct wpa_supplicant *wpa_s);
-void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *sa,
+void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *da, const u8 *sa,
 		     const u8 *data, size_t len);
 void sme_state_changed(struct wpa_supplicant *wpa_s);
 void sme_disassoc_while_authenticating(struct wpa_supplicant *wpa_s,