When using WPA security, the station and thus the required key is identified by its mac address when packets are received. So a station usually cannot spoof its source mac address. But when a station sends an A-MSDU frame, port control and crypto is done using the outer mac address, while the packets delivered and forwarded use the inner mac address. IEEE 802.11-2012 mandates that the outer source mac address should match the inner source address (section 8.3.2.2). For the destination mac address, matching is not required (section 10.23.15). Signed-off-by: Michael Braun <michael-dev@xxxxxxxxxxxxx> --- net/wireless/util.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/net/wireless/util.c b/net/wireless/util.c index b7d1592..7ea56fe 100644 --- a/net/wireless/util.c +++ b/net/wireless/util.c @@ -747,13 +747,13 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list, u16 ethertype; u8 *payload; int offset = 0, remaining, err; - struct ethhdr eth; + struct ethhdr eth, eth_80211; bool reuse_frag = skb->head_frag && !skb_has_frag_list(skb); bool reuse_skb = false; bool last = false; if (has_80211_header) { - err = __ieee80211_data_to_8023(skb, ð, addr, iftype); + err = __ieee80211_data_to_8023(skb, ð_80211, addr, iftype); if (err) goto out; } @@ -768,6 +768,13 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list, subframe_len = sizeof(struct ethhdr) + len; padding = (4 - subframe_len) & 0x3; + if (unlikely(has_80211_header && + (iftype == NL80211_IFTYPE_AP || + iftype == NL80211_IFTYPE_AP_VLAN) && + ether_addr_equal(eth_80211.h_source, eth.h_source)) + ) + goto purge; + /* the last MSDU has no padding */ remaining = skb->len - offset; if (subframe_len > remaining) -- 2.1.4