On 7/17/21 19:55, Mathy Vanhoef wrote:
> On 7/16/21 11:11 AM, Zheng Yejian wrote:
> > In v4.4, commit e76511a6fbb5 ("mac80211: properly handle A-MSDUs that
> > start with an RFC 1042 header") looks like an incomplete backport.
> >
> > There is no functional changes in the commit, since
> > __ieee80211_data_to_8023() which defined in net/wireless/util.c is
> > only called by ieee80211_data_to_8023() and parameter 'is_amsdu' is
> > always input as false.
>
> I don't think there's a problem here. The core commit that prevents the
> A-MSDU attack is "[PATCH 04/18] cfg80211: mitigate A-MSDU aggregation
> attacks":
> https://lore.kernel.org/linux-
> wireless/20210511200110.25d93176ddaf.I9e265b597f2cd23eb44573f35b62594
> 7b386a9de@changeid/
>
> That commit states: "for kernel 4.9 and above this patch depends on
> "mac80211: properly handle A-MSDUs that start with a rfc1042 header".
> Otherwise this patch has no impact and attacks will remain possible."
>
> Put differently, when patching v4.4 there was in fact no need to
> backport the patch that we're discussing here. So it makes sense that
> the "backported" patches causes no functional changes.
>
> Section 3.6 of https://papers.mathyvanhoef.com/usenix2021.pdf briefly
> discusses the wrong behavior of Linux 4.9+ that this patch tries to fix:
> "Linux 4.9 and above .. strip away the first 8 bytes of an A-MSDU frame
> if these bytes look like a valid LLC/SNAP header, and then further
> process the frame. This behavior is not compliant with the 802.11 standard."
>
How about linux 4.9 below, are they compliant with 802.11 standard or not?
Would they need additional patches to mitigate the aggregation attack?
I know little about 802.11 standard, sorry for that : (
> That said, I didn't yet run the test tool against a patched 4.4 kernel,
> so I hope my understanding of this code in this version is correct.
>
> Best regards,
> Mathy
Thanks,
Zheng Yejian
