diff options
Diffstat (limited to 'package/kernel/mac80211/patches/subsys/383-cfg80211-mitigate-A-MSDU-aggregation-attacks.patch')
| -rw-r--r-- | package/kernel/mac80211/patches/subsys/383-cfg80211-mitigate-A-MSDU-aggregation-attacks.patch | 40 |
1 files changed, 0 insertions, 40 deletions
diff --git a/package/kernel/mac80211/patches/subsys/383-cfg80211-mitigate-A-MSDU-aggregation-attacks.patch b/package/kernel/mac80211/patches/subsys/383-cfg80211-mitigate-A-MSDU-aggregation-attacks.patch deleted file mode 100644 index 8ea78dca84..0000000000 --- a/package/kernel/mac80211/patches/subsys/383-cfg80211-mitigate-A-MSDU-aggregation-attacks.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> -Date: Tue, 11 May 2021 20:02:45 +0200 -Subject: [PATCH] cfg80211: mitigate A-MSDU aggregation attacks - -Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the -destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP) -header, and if so dropping the complete A-MSDU frame. This mitigates -known attacks, although new (unknown) aggregation-based attacks may -remain possible. - -This defense works because in A-MSDU aggregation injection attacks, a -normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means -the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042 -header. In other words, the destination MAC address of the first A-MSDU -subframe contains the start of an RFC1042 header during an aggregation -attack. We can detect this and thereby prevent this specific attack. -For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi -Through Frame Aggregation and Fragmentation". - -Note that for kernel 4.9 and above this patch depends on "mac80211: -properly handle A-MSDUs that start with a rfc1042 header". Otherwise -this patch has no impact and attacks will remain possible. - -Cc: stable@vger.kernel.org -Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> ---- - ---- a/net/wireless/util.c -+++ b/net/wireless/util.c -@@ -775,6 +775,9 @@ void ieee80211_amsdu_to_8023s(struct sk_ - remaining = skb->len - offset; - if (subframe_len > remaining) - goto purge; -+ /* mitigate A-MSDU aggregation injection attacks */ -+ if (ether_addr_equal(eth.h_dest, rfc1042_header)) -+ goto purge; - - offset += sizeof(struct ethhdr); - last = remaining <= subframe_len + padding; |