From patchwork Mon Aug  6 22:48:57 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mathy Vanhoef <mathy.vanhoef@cs.kuleuven.be>
X-Patchwork-Id: 10558093
X-Patchwork-Delegate: johannes@sipsolutions.net
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CD5A413B4
	for <patchwork-linux-wireless@patchwork.kernel.org>;
 Mon,  6 Aug 2018 22:56:48 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BBF17294DB
	for <patchwork-linux-wireless@patchwork.kernel.org>;
 Mon,  6 Aug 2018 22:56:48 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id AFDFB2984B; Mon,  6 Aug 2018 22:56:48 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A5389294DB
	for <patchwork-linux-wireless@patchwork.kernel.org>;
 Mon,  6 Aug 2018 22:56:47 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2387606AbeHGBID (ORCPT
        <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
        Mon, 6 Aug 2018 21:08:03 -0400
Received: from hermes4.cs.kuleuven.be ([134.58.40.3]:49030 "EHLO
        hermes4.cs.kuleuven.be" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1733014AbeHGBID (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Mon, 6 Aug 2018 21:08:03 -0400
X-Greylist: delayed 525 seconds by postgrey-1.27 at vger.kernel.org;
 Mon, 06 Aug 2018 21:08:03 EDT
Received: from hermes4.cs.kuleuven.be. (localhost [127.0.0.1])
        by hermes4.cs.kuleuven.be.  with ESMTP id w76Mm1ZQ007498
        for <linux-wireless@vger.kernel.org>; Tue, 7 Aug 2018 00:48:01 +0200
Received: (from defang@localhost)
        by hermes4.cs.kuleuven.be. (8.14.4/8.14.4/Submit) id w76MkCOT007434
        for <linux-wireless@vger.kernel.org>; Tue, 7 Aug 2018 00:46:12 +0200
X-Authentication-Warning: hermes4.cs.kuleuven.be.: defang set sender to
 <Mathy.Vanhoef@cs.kuleuven.be> using -f
Received: from dr-zook.cs.kuleuven.be. (vdr-zook1.cs.kuleuven.be
 [2a02:2c40:500:a005::12c])
        by vmailrelay1.cs.kuleuven.be (envelope-sender
 <Mathy.Vanhoef@cs.kuleuven.be>) (MIMEDefang) with ESMTP id w76MkC8R007432;
 Tue, 07 Aug 2018 00:46:12 +0200
Received: from localhost (localhost [127.0.0.1])
        by dr-zook.cs.kuleuven.be. (8.14.4/8.14.4/Debian-4.1ubuntu1) with
 ESMTP id w76MkC1R007129;
        Tue, 7 Aug 2018 00:46:12 +0200
X-Virus-Scanned: Debian amavisd-new at dr-zook.cs.kuleuven.be
Received: from dr-zook.cs.kuleuven.be. ([127.0.0.1])
        by localhost (dr-zook.cs.kuleuven.be [127.0.0.1]) (amavisd-new,
 port 10023)
        with LMTP id ioevQQVjNgdZ; Tue,  7 Aug 2018 00:46:05 +0200 (CEST)
Received: from oryx.cs.kuleuven.be. (mail4.cs.kuleuven.be
 [IPv6:2a02:2c40:0:a000::122])
        by dr-zook.cs.kuleuven.be. (8.14.4/8.14.4/Debian-4.1ubuntu1) with
 ESMTP id w76Mk1L0007123
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
 verify=NOT);
        Tue, 7 Aug 2018 00:46:01 +0200
Received: from localhost.localdomain (ip-83-134-207-58.dsl.scarlet.be
 [83.134.207.58])
        (authenticated bits=0)
        by oryx.cs.kuleuven.be. (A_Good_MTA/8.14.4/Debian-4.1ubuntu1) with
 ESMTP id w76MjraF048467
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128
 verify=NOT);
        Tue, 7 Aug 2018 00:46:00 +0200
From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
To: johannes@sipsolutions.net, linux-wireless@vger.kernel.org
Cc: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
Subject: [PATCH] mac80211: ignore SA Query Requests with unknown payload data
Date: Tue,  7 Aug 2018 00:48:57 +0200
Message-Id: <20180806224857.14853-1-Mathy.Vanhoef@cs.kuleuven.be>
X-Mailer: git-send-email 2.18.0
X-Scanned-By: MIMEDefang 2.73 on 127.0.1.1
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

When operating in station mode, ignore SA Query Request frames that
contain extra payload data. The kernel doesn't know how to handle these
frames. Instead, give userspace a chance to handle these frames.

For example, with Operating Channel Validation, SA Query Requests may
now contain an extra Operating Channel Information (OCI) element as
payload data. The kernel should ignore these frames, since it does not
know how to properly handle them. Instead, let userspace process these
frames.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
---
For background on Operating Channel Validation, see:
https://mentor.ieee.org/802.11/dcn/17/11-17-1807-12-000m-defense-against-multi-channel-mitm-attacks-via-operating-channel-validation.docx

A corresponding patchset was also recently submitted to Hostap, see "Add
support for Operating Channel Validation (OCV)".


 net/mac80211/rx.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 932985ca4e66..9a4fb17bada7 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2755,7 +2755,7 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
 	return RX_DROP_MONITOR;
 }
 
-static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
+static bool ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
 					   struct ieee80211_mgmt *mgmt,
 					   size_t len)
 {
@@ -2765,23 +2765,23 @@ static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
 
 	if (!ether_addr_equal(mgmt->da, sdata->vif.addr)) {
 		/* Not to own unicast address */
-		return;
+		return false;
 	}
 
 	if (!ether_addr_equal(mgmt->sa, sdata->u.mgd.bssid) ||
 	    !ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid)) {
 		/* Not from the current AP or not associated yet. */
-		return;
+		return false;
 	}
 
-	if (len < 24 + 1 + sizeof(resp->u.action.u.sa_query)) {
-		/* Too short SA Query request frame */
-		return;
+	if (len != 24 + 1 + sizeof(resp->u.action.u.sa_query)) {
+		/* Too short SA Query request frame, or one we can't handle */
+		return false;
 	}
 
 	skb = dev_alloc_skb(sizeof(*resp) + local->hw.extra_tx_headroom);
 	if (skb == NULL)
-		return;
+		return false;
 
 	skb_reserve(skb, local->hw.extra_tx_headroom);
 	resp = skb_put_zero(skb, 24);
@@ -2798,6 +2798,7 @@ static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
 	       WLAN_SA_QUERY_TR_ID_LEN);
 
 	ieee80211_tx_skb(sdata, skb);
+	return true;
 }
 
 static ieee80211_rx_result debug_noinline
@@ -3089,7 +3090,8 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
 		case WLAN_ACTION_SA_QUERY_REQUEST:
 			if (sdata->vif.type != NL80211_IFTYPE_STATION)
 				break;
-			ieee80211_process_sa_query_req(sdata, mgmt, len);
+			if (!ieee80211_process_sa_query_req(sdata, mgmt, len))
+				break;
 			goto handled;
 		}
 		break;