LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Jouni Malinen <jouni@codeaurora.org>,
	Johannes Berg <johannes@sipsolutions.net>,
	"David S. Miller" <davem@davemloft.net>,
	Ben Hutchings <ben.hutchings@codethink.co.uk>
Subject: [PATCH 4.19 07/84] mac80211: Do not send Layer 2 Update frame before authorization
Date: Fri, 17 Jan 2020 00:17:41 +0100	[thread overview]
Message-ID: <20200116231714.356117806@linuxfoundation.org> (raw)
In-Reply-To: <20200116231713.087649517@linuxfoundation.org>

From: Jouni Malinen <jouni@codeaurora.org>

commit 3e493173b7841259a08c5c8e5cbe90adb349da7e upstream.

The Layer 2 Update frame is used to update bridges when a station roams
to another AP even if that STA does not transmit any frames after the
reassociation. This behavior was described in IEEE Std 802.11F-2003 as
something that would happen based on MLME-ASSOCIATE.indication, i.e.,
before completing 4-way handshake. However, this IEEE trial-use
recommended practice document was published before RSN (IEEE Std
802.11i-2004) and as such, did not consider RSN use cases. Furthermore,
IEEE Std 802.11F-2003 was withdrawn in 2006 and as such, has not been
maintained amd should not be used anymore.

Sending out the Layer 2 Update frame immediately after association is
fine for open networks (and also when using SAE, FT protocol, or FILS
authentication when the station is actually authenticated by the time
association completes). However, it is not appropriate for cases where
RSN is used with PSK or EAP authentication since the station is actually
fully authenticated only once the 4-way handshake completes after
authentication and attackers might be able to use the unauthenticated
triggering of Layer 2 Update frame transmission to disrupt bridge
behavior.

Fix this by postponing transmission of the Layer 2 Update frame from
station entry addition to the point when the station entry is marked
authorized. Similarly, send out the VLAN binding update only if the STA
entry has already been authorized.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/cfg.c      |   14 ++++----------
 net/mac80211/sta_info.c |    4 ++++
 2 files changed, 8 insertions(+), 10 deletions(-)

--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1410,7 +1410,6 @@ static int ieee80211_add_station(struct
 	struct sta_info *sta;
 	struct ieee80211_sub_if_data *sdata;
 	int err;
-	int layer2_update;
 
 	if (params->vlan) {
 		sdata = IEEE80211_DEV_TO_SUB_IF(params->vlan);
@@ -1454,18 +1453,12 @@ static int ieee80211_add_station(struct
 	    test_sta_flag(sta, WLAN_STA_ASSOC))
 		rate_control_rate_init(sta);
 
-	layer2_update = sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
-		sdata->vif.type == NL80211_IFTYPE_AP;
-
 	err = sta_info_insert_rcu(sta);
 	if (err) {
 		rcu_read_unlock();
 		return err;
 	}
 
-	if (layer2_update)
-		cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
-
 	rcu_read_unlock();
 
 	return 0;
@@ -1563,10 +1556,11 @@ static int ieee80211_change_station(stru
 		sta->sdata = vlansdata;
 		ieee80211_check_fast_xmit(sta);
 
-		if (test_sta_flag(sta, WLAN_STA_AUTHORIZED))
+		if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
 			ieee80211_vif_inc_num_mcast(sta->sdata);
-
-		cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
+			cfg80211_send_layer2_update(sta->sdata->dev,
+						    sta->sta.addr);
+		}
 	}
 
 	err = sta_apply_parameters(local, sta, params);
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -1906,6 +1906,10 @@ int sta_info_move_state(struct sta_info
 			ieee80211_check_fast_xmit(sta);
 			ieee80211_check_fast_rx(sta);
 		}
+		if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
+		    sta->sdata->vif.type == NL80211_IFTYPE_AP)
+			cfg80211_send_layer2_update(sta->sdata->dev,
+						    sta->sta.addr);
 		break;
 	default:
 		break;



  parent reply	other threads:[~2020-01-16 23:28 UTC|newest]

Thread overview: 89+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-16 23:17 [PATCH 4.19 00/84] 4.19.97-stable review Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 01/84] hidraw: Return EPOLLOUT from hidraw_poll Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 02/84] HID: hidraw: Fix returning " Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 03/84] HID: hidraw, uhid: Always report EPOLLOUT Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 04/84] ethtool: reduce stack usage with clang Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 05/84] fs/select: avoid clang stack usage warning Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 06/84] cfg80211/mac80211: make ieee80211_send_layer2_update a public function Greg Kroah-Hartman
2020-01-16 23:17 ` Greg Kroah-Hartman [this message]
2020-01-16 23:17 ` [PATCH 4.19 08/84] f2fs: Move err variable to function scope in f2fs_fill_dentries() Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 09/84] f2fs: check memory boundary by insane namelen Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 10/84] f2fs: check if file namelen exceeds max value Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 11/84] media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 12/84] iwlwifi: dbg_ini: fix memory leak in alloc_sgtable Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 13/84] iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 14/84] RDMA: Fix goto target to release the allocated memory Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 15/84] dccp: Fix memleak in __feat_register_sp Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 16/84] drm/i915: Fix use-after-free when destroying GEM context Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 17/84] rtc: mt6397: fix alarm register overwrite Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 18/84] RDMA/bnxt_re: Avoid freeing MR resources if dereg fails Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 19/84] RDMA/bnxt_re: Fix Send Work Entry state check while polling completions Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 20/84] ASoC: soc-core: Set dpcm_playback / dpcm_capture Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 21/84] ASoC: stm32: spdifrx: fix inconsistent lock state Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 22/84] ASoC: stm32: spdifrx: fix race condition in irq handler Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 23/84] mtd: onenand: omap2: Pass correct flags for prep_dma_memcpy Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 24/84] gpio: zynq: Fix for bug in zynq_gpio_restore_context API Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 25/84] iommu: Remove device link to group on failure Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 26/84] gpio: Fix error message on out-of-range GPIO in lookup table Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 27/84] hsr: reset network header when supervision frame is created Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 28/84] s390/qeth: fix false reporting of VNIC CHAR config failure Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 29/84] s390/qeth: Fix vnicc_is_in_use if rx_bcast not set Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 30/84] cifs: Adjust indentation in smb2_open_file Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 31/84] afs: Fix missing cell comparison in afs_test_super() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 32/84] drm/ttm: fix start page for huge page check in ttm_put_pages() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 33/84] drm/ttm: fix incrementing the page pointer for huge pages Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 34/84] btrfs: simplify inode locking for RWF_NOWAIT Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 35/84] RDMA/mlx5: Return proper error value Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 36/84] RDMA/srpt: Report the SCSI residual to the initiator Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 37/84] scsi: enclosure: Fix stale device oops with hot replug Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 38/84] scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 39/84] platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 40/84] platform/x86: GPD pocket fan: Use default values when wrong modparams are given Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 41/84] xprtrdma: Fix completion wait during device removal Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 42/84] crypto: virtio - implement missing support for output IVs Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 43/84] NFSv2: Fix a typo in encode_sattr() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 44/84] NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 45/84] iio: imu: adis16480: assign bias value only if operation succeeded Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 46/84] mei: fix modalias documentation Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 47/84] clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 48/84] pinctl: ti: iodelay: fix error checking on pinctrl_count_index_with_args call Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 49/84] pinctrl: lewisburg: Update pin list according to v1.1v6 Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 50/84] scsi: sd: enable compat ioctls for sed-opal Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 51/84] arm64: dts: apq8096-db820c: Increase load on l21 for SDCARD Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 52/84] af_unix: add compat_ioctl support Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 53/84] compat_ioctl: handle SIOCOUTQNSD Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 54/84] PCI: dwc: Fix find_next_bit() usage Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 55/84] PCI/PTM: Remove spurious "d" from granularity message Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 56/84] powerpc/powernv: Disable native PCIe port management Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 57/84] tty: serial: imx: use the sg count from dma_map_sg Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 58/84] tty: serial: pch_uart: correct usage of dma_unmap_sg Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 59/84] media: ov6650: Fix incorrect use of JPEG colorspace Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 60/84] media: ov6650: Fix some format attributes not under control Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 61/84] media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 62/84] media: rcar-vin: Fix incorrect return statement in rvin_try_format() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 63/84] media: v4l: cadence: Fix how unsued lanes are handled in csi2rx_start() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 64/84] media: exynos4-is: Fix recursive locking in isp_video_release() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 65/84] iommu/mediatek: Correct the flush_iotlb_all callback Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 66/84] mtd: spi-nor: fix silent truncation in spi_nor_read() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 67/84] mtd: spi-nor: fix silent truncation in spi_nor_read_raw() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 68/84] spi: atmel: fix handling of cs_change set on non-last xfer Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 69/84] rtlwifi: Remove unnecessary NULL check in rtl_regd_init Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 70/84] f2fs: fix potential overflow Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 71/84] rtc: msm6242: Fix reading of 10-hour digit Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 72/84] rtc: brcmstb-waketimer: add missed clk_disable_unprepare Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 73/84] gpio: mpc8xxx: Add platform device to gpiochip->parent Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 74/84] scsi: libcxgbi: fix NULL pointer dereference in cxgbi_device_destroy() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 75/84] selftests: firmware: Fix it to do root uid check and skip Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 76/84] rseq/selftests: Turn off timeout setting Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 77/84] mips: cacheinfo: report shared CPU map Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 78/84] MIPS: Prevent link failure with kcov instrumentation Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 79/84] drm/arm/mali: make malidp_mw_connector_helper_funcs static Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 80/84] dmaengine: k3dma: Avoid null pointer traversal Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 81/84] ioat: ioat_alloc_ring() failure handling Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 82/84] hexagon: parenthesize registers in asm predicates Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 83/84] hexagon: work around compiler crash Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 84/84] ocfs2: call journal flush to mark journal as empty after journal recovery when mount Greg Kroah-Hartman
2020-01-17 13:20 ` [PATCH 4.19 00/84] 4.19.97-stable review Jon Hunter
2020-01-17 14:18 ` Naresh Kamboju
2020-01-17 16:01 ` Guenter Roeck
2020-01-17 16:06 ` shuah

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200116231714.356117806@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=ben.hutchings@codethink.co.uk \
    --cc=davem@davemloft.net \
    --cc=johannes@sipsolutions.net \
    --cc=jouni@codeaurora.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --subject='Re: [PATCH 4.19 07/84] mac80211: Do not send Layer 2 Update frame before authorization' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).