On Wed, Aug 24, 2022 at 01:57:44PM +0800, xinpeng wang wrote:
> During eap authentication, the supplier sends the response to the address
> 01:80:c2:00:00:03, the PAE group address.
> Some switches will broadcast messages sent to this address, which will
> cause the devices under the same switch to receive these response packets,
> which will cause the device's eap state machine to migrate incorrectly,
> resulting in repeated authentication or slow authentication.
> diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c
> @@ -1365,6 +1365,11 @@ int eapol_sm_rx_eapol(struct eapol_sm *sm, const u8 *src, const u8 *buf,
> + if (plen >= sizeof(*ehdr) && ehdr->code == EAP_CODE_RESPONSE) {
> + wpa_printf(MSG_DEBUG, "EAPOL: Ignore EAP packet with response");
> + break;
> + }
This is problematic because of a special corner case with LEAP which
actually uses an EAP-Response message from the server to the client. In
other words, this proposed change would break LEAP.
I guess this could be made even a worse layer violation within the
workaround code by looking at the type field following the EAP header
and skipping this here only if the type is not EAP_TYPE_LEAP. That would
not be exactly pretty from the view point of EAPOL layer supposedly
being independent of the EAP layer, but I guess that could be an
acceptable workaround for this.
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
