From patchwork Sun Sep 25 11:25:58 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: michael-dev <michael-dev@fami-braun.de>
X-Patchwork-Id: 9349669
X-Patchwork-Delegate: johannes@sipsolutions.net
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	DC3F7607F0 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Sun, 25 Sep 2016 11:26:13 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C27B528CA9
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Sun, 25 Sep 2016 11:26:13 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id B2BAE28CCD; Sun, 25 Sep 2016 11:26:13 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BE0E628CA9
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Sun, 25 Sep 2016 11:26:12 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S966033AbcIYL0K (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Sun, 25 Sep 2016 07:26:10 -0400
Received: from mail.fem.tu-ilmenau.de ([141.24.220.54]:42199 "EHLO
	mail.fem.tu-ilmenau.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S938708AbcIYL0J (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Sun, 25 Sep 2016 07:26:09 -0400
Received: from localhost (localhost [127.0.0.1])
	by mail.fem.tu-ilmenau.de (Postfix) with ESMTP id 92F94698D;
	Sun, 25 Sep 2016 13:26:07 +0200 (CEST)
X-Virus-Scanned: amavisd-new at fem.tu-ilmenau.de
Received: from mail.fem.tu-ilmenau.de ([127.0.0.1])
	by localhost (mail.fem.tu-ilmenau.de [127.0.0.1]) (amavisd-new,
	port 10024)
	with ESMTP id OB+X3TZL54Tk; Sun, 25 Sep 2016 13:26:05 +0200 (CEST)
Received: from a234.fem.tu-ilmenau.de (ray-controller.net.fem.tu-ilmenau.de
	[10.42.51.234]) by mail.fem.tu-ilmenau.de (Postfix) with ESMTP;
	Sun, 25 Sep 2016 13:26:04 +0200 (CEST)
Received: by a234.fem.tu-ilmenau.de (Postfix, from userid 1000)
	id C12753004A95; Sun, 25 Sep 2016 13:26:04 +0200 (CEST)
From: Michael Braun <michael-dev@fami-braun.de>
To: johannes@sipsolutions.net
Cc: linux-wireless@vger.kernel.org, projekt-wlan@fem.tu-ilmenau.de,
	Michael Braun <michael-dev@fami-braun.de>
Subject: [PATCH] mac80211: check A-MSDU inner frame source address on AP
	interfaces
Date: Sun, 25 Sep 2016 13:25:58 +0200
Message-Id: <1474802758-14502-1-git-send-email-michael-dev@fami-braun.de>
X-Mailer: git-send-email 2.1.4
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

When using WPA security, the station and thus the required key is
identified by its mac address when packets are received. So a
station usually cannot spoof its source mac address.

But when a station sends an A-MSDU frame, port control and crypto
is done using the outer mac address, while the packets delivered
and forwarded use the inner mac address.

IEEE 802.11-2012 mandates that the outer source mac address should
match the inner source address (section 8.3.2.2). For the
destination mac address, matching is not required (section 10.23.15).

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
---
 net/wireless/util.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/net/wireless/util.c b/net/wireless/util.c
index b7d1592..7ea56fe 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -747,13 +747,13 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list,
 	u16 ethertype;
 	u8 *payload;
 	int offset = 0, remaining, err;
-	struct ethhdr eth;
+	struct ethhdr eth, eth_80211;
 	bool reuse_frag = skb->head_frag && !skb_has_frag_list(skb);
 	bool reuse_skb = false;
 	bool last = false;
 
 	if (has_80211_header) {
-		err = __ieee80211_data_to_8023(skb, &eth, addr, iftype);
+		err = __ieee80211_data_to_8023(skb, &eth_80211, addr, iftype);
 		if (err)
 			goto out;
 	}
@@ -768,6 +768,13 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list,
 		subframe_len = sizeof(struct ethhdr) + len;
 		padding = (4 - subframe_len) & 0x3;
 
+		if (unlikely(has_80211_header &&
+			     (iftype == NL80211_IFTYPE_AP ||
+			      iftype == NL80211_IFTYPE_AP_VLAN) &&
+			     ether_addr_equal(eth_80211.h_source, eth.h_source))
+		   )
+			goto purge;
+
 		/* the last MSDU has no padding */
 		remaining = skb->len - offset;
 		if (subframe_len > remaining)