From: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Date: Fri, 23 May 2025 12:37:06 +0000 (+0300)
Subject: Discard unrecognized Action frames without returning them
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b5ce29ac218cd6ccddcd7a81dc5d2835379bcd75;p=thirdparty%2Fhostap.git

Discard unrecognized Action frames without returning them

IEEE Std 802.11-2024 changed this behavior in 10.28.4 (Response to an
invalid Action and Action No Ack frame) to discard the received frame
without returning it to the source with the MSB set to 1, so update
implementation to match by removing the case that would have returned
the unrecognized frame.

This had previously been modified to avoid potential security
vulnerabilties by discarding the case when an SA was in place, but the
REVme update went beyond that and completely removed this behavior of
returning the frame with MSB set to 1 since no clear use for that could
be identified.

Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
---

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 47375abba..ef5b4d243 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -6487,33 +6487,6 @@ static int handle_action(struct hostapd_data *hapd,
 		       "handle_action - unknown action category %d or invalid "
 		       "frame",
 		       mgmt->u.action.category);
-	if (!is_multicast_ether_addr(mgmt->da) &&
-	    !(mgmt->u.action.category & 0x80) &&
-	    !is_multicast_ether_addr(mgmt->sa)) {
-		struct ieee80211_mgmt *resp;
-
-		/*
-		 * IEEE Std 802.11-2020, 10.28.4 (Response to an invalid Action
-		 * and Action No Ack frame)
-		 * Return the Action frame to the source without change
-		 * except that MSB of the Category set to 1.
-		 */
-		wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
-			   "frame back to sender");
-		resp = os_memdup(mgmt, len);
-		if (resp == NULL)
-			return 0;
-		os_memcpy(resp->da, resp->sa, ETH_ALEN);
-		os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
-		os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
-		resp->u.action.category |= 0x80;
-
-		if (hostapd_drv_send_mlme(hapd, resp, len, 0, NULL, 0, 0) < 0) {
-			wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
-				   "Action frame");
-		}
-		os_free(resp);
-	}
 
 	return 1;
 }