3018e947d7
AP/AP_VLAN modes don't accept any real 802.11 multicast data frames, but since they do need to accept broadcast management frames the same is currently permitted for data frames. This opens a security problem because such frames would be decrypted with the GTK, and could even contain unicast L3 frames. Since the spec says that ToDS frames must always have the BSSID as the RA (addr1), reject any other data frames. The problem was originally reported in "Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys" at usenix https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/vanhoef and brought to my attention by Jouni. Cc: stable@vger.kernel.org Reported-by: Jouni Malinen <j@w1.fi> Signed-off-by: Johannes Berg <johannes.berg@intel.com> -- Dave, I didn't want to send you a new pull request for a single commit yet again - can you apply this one patch as is? Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| aes_ccm.c | ||
| aes_ccm.h | ||
| aes_cmac.c | ||
| aes_cmac.h | ||
| aes_gcm.c | ||
| aes_gcm.h | ||
| aes_gmac.c | ||
| aes_gmac.h | ||
| agg-rx.c | ||
| agg-tx.c | ||
| cfg.c | ||
| chan.c | ||
| debug.h | ||
| debugfs.c | ||
| debugfs.h | ||
| debugfs_key.c | ||
| debugfs_key.h | ||
| debugfs_netdev.c | ||
| debugfs_netdev.h | ||
| debugfs_sta.c | ||
| debugfs_sta.h | ||
| driver-ops.c | ||
| driver-ops.h | ||
| ethtool.c | ||
| fils_aead.c | ||
| fils_aead.h | ||
| ht.c | ||
| ibss.c | ||
| ieee80211_i.h | ||
| iface.c | ||
| key.c | ||
| key.h | ||
| led.c | ||
| led.h | ||
| main.c | ||
| mesh.c | ||
| mesh.h | ||
| mesh_hwmp.c | ||
| mesh_pathtbl.c | ||
| mesh_plink.c | ||
| mesh_ps.c | ||
| mesh_sync.c | ||
| michael.c | ||
| michael.h | ||
| mlme.c | ||
| ocb.c | ||
| offchannel.c | ||
| pm.c | ||
| rate.c | ||
| rate.h | ||
| rc80211_minstrel.c | ||
| rc80211_minstrel.h | ||
| rc80211_minstrel_debugfs.c | ||
| rc80211_minstrel_ht.c | ||
| rc80211_minstrel_ht.h | ||
| rc80211_minstrel_ht_debugfs.c | ||
| rx.c | ||
| scan.c | ||
| spectmgmt.c | ||
| sta_info.c | ||
| sta_info.h | ||
| status.c | ||
| tdls.c | ||
| tkip.c | ||
| tkip.h | ||
| trace.c | ||
| trace.h | ||
| trace_msg.h | ||
| tx.c | ||
| util.c | ||
| vht.c | ||
| wep.c | ||
| wep.h | ||
| wme.c | ||
| wme.h | ||
| wpa.c | ||
| wpa.h | ||