Ignore group-addressed SA Query frames

These frames are used for verifying that a specific SA and protected
link is in functional state between two devices. The IEEE 802.11
standard defines only a case that uses individual MAC address as the
destination. While there is no explicit rule on the receiver to ignore
other cases, it seems safer to make sure group-addressed frames do not
end up resulting in undesired behavior. As such, drop such frames
instead of interpreting them as valid SA Query Request/Response.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/ap/ieee802_11_shared.c b/src/ap/ieee802_11_shared.c
index a429b5dd484934b49a87d74eda94d05593e2c40e..d0074f6ba220302b83d65b3c07255c7b97bb85cd 100644 (file)
--- a/src/ap/ieee802_11_shared.c
+++ b/src/ap/ieee802_11_shared.c
@@ -241,6 +241,12 @@ void ieee802_11_sa_query_action(struct hostapd_data *hapd,
                           (unsigned long) len);
                return;
        }
+       if (is_multicast_ether_addr(mgmt->da)) {
+               wpa_printf(MSG_DEBUG,
+                          "IEEE 802.11: Ignore group-addressed SA Query frame (A1=" MACSTR " A2=" MACSTR ")",
+                          MAC2STR(mgmt->da), MAC2STR(mgmt->sa));
+               return;
+       }
 
        sta = ap_get_sta(hapd, sa);
 

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 9abb197a1a391aee8e40af074ffaacbbd21d3e0a..5e73ab406d020454321e53a0563458d1307a06bb 100644 (file)
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -4165,7 +4165,7 @@ static void wpas_event_rx_mgmt_action(struct wpa_supplicant *wpa_s,
 
 #ifdef CONFIG_SME
        if (category == WLAN_ACTION_SA_QUERY) {
-               sme_sa_query_rx(wpa_s, mgmt->sa, payload, plen);
+               sme_sa_query_rx(wpa_s, mgmt->da, mgmt->sa, payload, plen);
                return;
        }
 #endif /* CONFIG_SME */

diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index c6cef5b1447565bbeb14dd26b79313a2d89f3fc8..522c8297f7e445c92ead09bc0cf43ebf32ce650f 100644 (file)
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -2883,11 +2883,17 @@ static void sme_process_sa_query_response(struct wpa_supplicant *wpa_s,
 }
 
 
-void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *sa,
+void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *da, const u8 *sa,
                     const u8 *data, size_t len)
 {
        if (len < 1 + WLAN_SA_QUERY_TR_ID_LEN)
                return;
+       if (is_multicast_ether_addr(da)) {
+               wpa_printf(MSG_DEBUG,
+                          "IEEE 802.11: Ignore group-addressed SA Query frame (A1=" MACSTR " A2=" MACSTR ")",
+                          MAC2STR(da), MAC2STR(sa));
+               return;
+       }
 
        wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query frame from "
                MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]);

diff --git a/wpa_supplicant/sme.h b/wpa_supplicant/sme.h
index 42d5a8317c7864570e9c53a5dca5e0b22253c614..ecbc16dacd9d0948c8e183fc39bddf4b33b4aa69 100644 (file)
--- a/wpa_supplicant/sme.h
+++ b/wpa_supplicant/sme.h
@@ -29,7 +29,7 @@ void sme_event_disassoc(struct wpa_supplicant *wpa_s,
 void sme_event_unprot_disconnect(struct wpa_supplicant *wpa_s, const u8 *sa,
                                 const u8 *da, u16 reason_code);
 void sme_event_ch_switch(struct wpa_supplicant *wpa_s);
-void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *sa,
+void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *da, const u8 *sa,
                     const u8 *data, size_t len);
 void sme_state_changed(struct wpa_supplicant *wpa_s);
 void sme_disassoc_while_authenticating(struct wpa_supplicant *wpa_s,