From fe5684e3e62b0a1eb90a610b26dfcc30cf60ebce Mon Sep 17 00:00:00 2001 From: stsp Date: Tue, 18 May 2021 08:10:45 +0000 Subject: [PATCH] Drop fragmented 802.11 frames. Fragmented frames were never of any practical use to us anyway, given that our net80211 stack does not (yet?) re-assemble them. Counter-measure against attacks where an arbitrary packet is injected in a fragment with attacker-controlled content (via an AP which supports fragments). See https://papers.mathyvanhoef.com/usenix2021.pdf Section 6.8 "Treating fragments as full frames" ok mpi@ --- sys/net80211/ieee80211_input.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c index 41e8bd6cca1..e66a661a1a4 100644 --- a/sys/net80211/ieee80211_input.c +++ b/sys/net80211/ieee80211_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ieee80211_input.c,v 1.236 2021/05/17 11:44:22 stsp Exp $ */ +/* $OpenBSD: ieee80211_input.c,v 1.237 2021/05/18 08:10:45 stsp Exp $ */ /*- * Copyright (c) 2001 Atsushi Onoe @@ -384,6 +384,20 @@ ieee80211_inputm(struct ifnet *ifp, struct mbuf *m, struct ieee80211_node *ni, } } + /* + * We do not yet support fragments. Drop any fragmented packets. + * Counter-measure against attacks where an arbitrary packet is + * injected via a fragment with attacker-controlled content. + * See https://papers.mathyvanhoef.com/usenix2021.pdf + * Section 6.8 "Treating fragments as full frames" + */ + if (ieee80211_has_seq(wh)) { + uint16_t rxseq = letoh16(*(const u_int16_t *)wh->i_seq); + if ((wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG) || + (rxseq & IEEE80211_SEQ_FRAG_MASK)) + goto err; + } + /* duplicate detection (see 9.2.9) */ if (ieee80211_has_seq(wh) && ic->ic_state != IEEE80211_S_SCAN) { -- 2.20.1