Felix Fietkau <nbd@xxxxxxxx> wrote: > Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the > destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP) > header, and if so dropping the complete A-MSDU frame. This mitigates > known attacks, although new (unknown) aggregation-based attacks may > remain possible. > > This defense works because in A-MSDU aggregation injection attacks, a > normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means > the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042 > header. In other words, the destination MAC address of the first A-MSDU > subframe contains the start of an RFC1042 header during an aggregation > attack. We can detect this and thereby prevent this specific attack. > For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi > Through Frame Aggregation and Fragmentation". > > Signed-off-by: Felix Fietkau <nbd@xxxxxxxx> Patch applied to wireless-drivers.git, thanks. 2c2bdd2372af mt76: validate rx A-MSDU subframes -- https://patchwork.kernel.org/project/linux-wireless/patch/20210513070303.20253-1-nbd@xxxxxxxx/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
