Drop fragmented 802.11 frames.

Fragmented frames were never of any practical use to us anyway, given that
our net80211 stack does not (yet?) re-assemble them.

Counter-measure against attacks where an arbitrary packet is injected in a
fragment with attacker-controlled content (via an AP which supports fragments).
See https://papers.mathyvanhoef.com/usenix2021.pdf
Section 6.8 "Treating fragments as full frames"

ok mpi@

diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c
index 41e8bd6..e66a661 100644 (file)
--- a/sys/net80211/ieee80211_input.c
+++ b/sys/net80211/ieee80211_input.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ieee80211_input.c,v 1.236 2021/05/17 11:44:22 stsp Exp $      */
+/*     $OpenBSD: ieee80211_input.c,v 1.237 2021/05/18 08:10:45 stsp Exp $      */
 
 /*-
  * Copyright (c) 2001 Atsushi Onoe
@@ -384,6 +384,20 @@ ieee80211_inputm(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni,
                }
        }
 
+       /*
+        * We do not yet support fragments. Drop any fragmented packets.
+        * Counter-measure against attacks where an arbitrary packet is
+        * injected via a fragment with attacker-controlled content.
+        * See https://papers.mathyvanhoef.com/usenix2021.pdf
+        * Section 6.8 "Treating fragments as full frames"
+        */
+       if (ieee80211_has_seq(wh)) {
+               uint16_t rxseq = letoh16(*(const u_int16_t *)wh->i_seq);
+               if ((wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) ||
+                   (rxseq & IEEE80211_SEQ_FRAG_MASK))
+                       goto err;
+       }
+
        /* duplicate detection (see 9.2.9) */
        if (ieee80211_has_seq(wh) &&
            ic->ic_state != IEEE80211_S_SCAN) {