Date: Mon, 24 May 2021 13:12:58 +0000 From: bugzilla-noreply@freebsd.org To: wireless@FreeBSD.org Subject: [Bug 256118] [net80211] [patch]: reject mixed plaintext/encrypted fragments Message-ID: <bug-256118-21060@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256118 Bug ID: 256118 Summary: [net80211] [patch]: reject mixed plaintext/encrypted fragments Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: wireless Assignee: wireless@FreeBSD.org Reporter: mathy.vanhoef@cs.kuleuven.be Created attachment 225220 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D225220&action= =3Dedit patch: git diff file FreeBSD accepts fragmented 802.11 frames in a protected Wi-Fi network even = when some of the fragments were not encrypted. This corresponds to CVE-2020-2614= 7 of the "FragAttacks" research. For background see Section 6.3 in https://papers.mathyvanhoef.com/usenix2021.pdf This vulnerability can be reproduced using the FragAttack test tool at https://github.com/vanhoefm/fragattacks with the test case "ping I,P,E" and= /or "ping I,P,E" (the transmitted ping request should be rejected by the kernel= ). The attached patches fixes this vulnerability. It was tested using a Belkin F5D8053 (run driver) in client mode. I'm not sure if I'm using the best way= to track whether a fragment was encrypted, but it gets the job done with a low number of code changes. FYI: I've submitted a similar patch to NetBSD: https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=3D56204 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-256118-21060>