lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20190911.155955.1215273750491589577.davem@davemloft.net>
Date:   Wed, 11 Sep 2019 15:59:55 +0200 (CEST)
From:   David Miller <davem@...emloft.net>
To:     johannes@...solutions.net
Cc:     jouni@...eaurora.org, linux-wireless@...r.kernel.org,
        netdev@...r.kernel.org
Subject: Re: [PATCH] mac80211: Do not send Layer 2 Update frame before
 authorization

From: Johannes Berg <johannes@...solutions.net>
Date: Wed, 11 Sep 2019 15:06:03 +0200

> On Wed, 2019-09-11 at 16:03 +0300, Jouni Malinen wrote:
>> The Layer 2 Update frame is used to update bridges when a station roams
>> to another AP even if that STA does not transmit any frames after the
>> reassociation. This behavior was described in IEEE Std 802.11F-2003 as
>> something that would happen based on MLME-ASSOCIATE.indication, i.e.,
>> before completing 4-way handshake. However, this IEEE trial-use
>> recommended practice document was published before RSN (IEEE Std
>> 802.11i-2004) and as such, did not consider RSN use cases. Furthermore,
>> IEEE Std 802.11F-2003 was withdrawn in 2006 and as such, has not been
>> maintained amd should not be used anymore.
>> 
>> Sending out the Layer 2 Update frame immediately after association is
>> fine for open networks (and also when using SAE, FT protocol, or FILS
>> authentication when the station is actually authenticated by the time
>> association completes). However, it is not appropriate for cases where
>> RSN is used with PSK or EAP authentication since the station is actually
>> fully authenticated only once the 4-way handshake completes after
>> authentication and attackers might be able to use the unauthenticated
>> triggering of Layer 2 Update frame transmission to disrupt bridge
>> behavior.
>> 
>> Fix this by postponing transmission of the Layer 2 Update frame from
>> station entry addition to the point when the station entry is marked
>> authorized. Similarly, send out the VLAN binding update only if the STA
>> entry has already been authorized.
> 
> Reviewed-by: Johannes Berg <johannes@...solutions.net>
> 
> Dave, if you were still planning to send a pull request to Linus before
> he closes the tree on Sunday this would be good to include (and we
> should also backport it to stable later).
> 
> If not, I can pick it up afterwards, let me know.

Ok I applied this directly, thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ