On 7/16/21 11:11 AM, Zheng Yejian wrote:
In v4.4, commit e76511a6fbb5 ("mac80211: properly handle A-MSDUs that start with an RFC 1042 header") looks like an incomplete backport.
There is no functional changes in the commit, since __ieee80211_data_to_8023() which defined in net/wireless/util.c is only called by ieee80211_data_to_8023() and parameter 'is_amsdu' is always input as false.
I don't think there's a problem here. The core commit that prevents the A-MSDU attack is "[PATCH 04/18] cfg80211: mitigate A-MSDU aggregation attacks": https://lore.kernel.org/linux-wireless/20210511200110.25d93176ddaf.I9e265b59...
That commit states: "for kernel 4.9 and above this patch depends on "mac80211: properly handle A-MSDUs that start with a rfc1042 header". Otherwise this patch has no impact and attacks will remain possible."
Put differently, when patching v4.4 there was in fact no need to backport the patch that we're discussing here. So it makes sense that the "backported" patches causes no functional changes.
Section 3.6 of https://papers.mathyvanhoef.com/usenix2021.pdf briefly discusses the wrong behavior of Linux 4.9+ that this patch tries to fix: "Linux 4.9 and above .. strip away the first 8 bytes of an A-MSDU frame if these bytes look like a valid LLC/SNAP header, and then further process the frame. This behavior is not compliant with the 802.11 standard."
That said, I didn't yet run the test tool against a patched 4.4 kernel, so I hope my understanding of this code in this version is correct.
Best regards, Mathy