AP: Silently ignore management frame from unexpected source address

Do not process any received Management frames with unexpected/invalid SA
so that we do not add any state for unexpected STA addresses or end up
sending out frames to unexpected destination. This prevents unexpected
sequences where an unprotected frame might end up causing the AP to send
out a response to another device and that other device processing the
unexpected response.

In particular, this prevents some potential denial of service cases
where the unexpected response frame from the AP might result in a
connected station dropping its association.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index c855cd92f420bcfdeb9d113148a1261d1b76fa1c..57c14347d8af9b4399e77ee73788e1ed6726007c 100644 (file)
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -129,6 +129,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
                           "hostapd_notif_assoc: Skip event with no address");
                return -1;
        }
+
+       if (is_multicast_ether_addr(addr) ||
+           is_zero_ether_addr(addr) ||
+           os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
+               /* Do not process any frames with unexpected/invalid SA so that
+                * we do not add any state for unexpected STA addresses or end
+                * up sending out frames to unexpected destination. */
+               wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
+                          " in received indication - ignore this indication silently",
+                          __func__, MAC2STR(addr));
+               return 0;
+       }
+
        random_add_randomness(addr, ETH_ALEN);
 
        hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index fed371db3359141f2f23f237733b8914f758fab0..2c43ab1ab1f892aa0447e4fe7ef88386cfbc7169 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -4613,6 +4613,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
        fc = le_to_host16(mgmt->frame_control);
        stype = WLAN_FC_GET_STYPE(fc);
 
+       if (is_multicast_ether_addr(mgmt->sa) ||
+           is_zero_ether_addr(mgmt->sa) ||
+           os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
+               /* Do not process any frames with unexpected/invalid SA so that
+                * we do not add any state for unexpected STA addresses or end
+                * up sending out frames to unexpected destination. */
+               wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
+                          " in received frame - ignore this frame silently",
+                          MAC2STR(mgmt->sa));
+               return 0;
+       }
+
        if (stype == WLAN_FC_STYPE_BEACON) {
                handle_beacon(hapd, mgmt, len, fi);
                return 1;