Re: [PATCH] The current behaviour of hostapd_das_find_sta() is undesirable as it can result in over broad, potentially insecure matching.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, Mar 06, 2016 at 08:23:01PM +0000, Nick Lowe wrote:
> Requiring a match against all the session identifying attributes
> supplied would be fine and, of course, an order of precedence would be
> not applicable and meaningless at this point.
> That would be stricter that what the that patch I submitted does.
> 
> Currently hostapd implements faulty logic such that any session
> identifying attribute that matches is acceptable.
> Herein lies the fault in the implementation.

Could you please be more specific here? The current implementation
matches all the session identifying attributes and requires all of them
to match.

> In the case that more than one session is matched, hostapd currently
> elects to do nothing.

Does nothing is somewhat inaccurate. hostapd rejects the request in such
a case with Error-Cause 508 (Multiple Session Selection Unsupported).

> If this was changed in the future to permit more than one session to
> be matched, this could result in unexpected sessions being changed or
> disconnected.

What would be unexpected? DAC better know what it is doing and if it
does not use specific enough attributes, it'll get what it asks for..

> At present, this may result in expected sessions not being changed or
> disconnected due to multiple sessions being matched.

Only if DAC specified overly flexible identifying attributes. Or do you
have a specific example of attributes where more than a single match
were to be expected?

> Where the User-Name is being sent as a session identifying attribute
> alongside others, this can be manipulated for to cause deliberate
> malfunction of CoA-Request and Disconnect-Request by stations.

How would User-Name alongside others do anything here if the other
attributes are specific enough to find a single match? Even if that
User-Name were to match multiple sessions, only the one also matching
the other, more specific, attributes would be identified.

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux