Ignore group-addressed SA Query frames

These frames are used for verifying that a specific SA and protected
link is in functional state between two devices. The IEEE 802.11
standard defines only a case that uses individual MAC address as the
destination. While there is no explicit rule on the receiver to ignore
other cases, it seems safer to make sure group-addressed frames do not
end up resulting in undesired behavior. As such, drop such frames
instead of interpreting them as valid SA Query Request/Response.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2021-02-16 11:34:50 +02:00 committed by Jouni Malinen
parent d314213f6c
commit a826ff2d95
4 changed files with 15 additions and 3 deletions

View file

@ -241,6 +241,12 @@ void ieee802_11_sa_query_action(struct hostapd_data *hapd,
(unsigned long) len);
return;
}
if (is_multicast_ether_addr(mgmt->da)) {
wpa_printf(MSG_DEBUG,
"IEEE 802.11: Ignore group-addressed SA Query frame (A1=" MACSTR " A2=" MACSTR ")",
MAC2STR(mgmt->da), MAC2STR(mgmt->sa));
return;
}
sta = ap_get_sta(hapd, sa);

View file

@ -4165,7 +4165,7 @@ static void wpas_event_rx_mgmt_action(struct wpa_supplicant *wpa_s,
#ifdef CONFIG_SME
if (category == WLAN_ACTION_SA_QUERY) {
sme_sa_query_rx(wpa_s, mgmt->sa, payload, plen);
sme_sa_query_rx(wpa_s, mgmt->da, mgmt->sa, payload, plen);
return;
}
#endif /* CONFIG_SME */

View file

@ -2883,11 +2883,17 @@ static void sme_process_sa_query_response(struct wpa_supplicant *wpa_s,
}
void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *sa,
void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *da, const u8 *sa,
const u8 *data, size_t len)
{
if (len < 1 + WLAN_SA_QUERY_TR_ID_LEN)
return;
if (is_multicast_ether_addr(da)) {
wpa_printf(MSG_DEBUG,
"IEEE 802.11: Ignore group-addressed SA Query frame (A1=" MACSTR " A2=" MACSTR ")",
MAC2STR(da), MAC2STR(sa));
return;
}
wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query frame from "
MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]);

View file

@ -29,7 +29,7 @@ void sme_event_disassoc(struct wpa_supplicant *wpa_s,
void sme_event_unprot_disconnect(struct wpa_supplicant *wpa_s, const u8 *sa,
const u8 *da, u16 reason_code);
void sme_event_ch_switch(struct wpa_supplicant *wpa_s);
void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *sa,
void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *da, const u8 *sa,
const u8 *data, size_t len);
void sme_state_changed(struct wpa_supplicant *wpa_s);
void sme_disassoc_while_authenticating(struct wpa_supplicant *wpa_s,