From patchwork Tue Dec 19 16:04:01 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "d. caratti" X-Patchwork-Id: 850918 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=65.50.211.133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="lucLn9CF"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="dxixTb1l"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3z1NNk5Rv3z9s7v for ; Wed, 20 Dec 2017 03:17:58 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:List-Subscribe:List-Help: List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date:Subject:To: From:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=fQE6uns0048K0qX1lBV6el0NQwFP69utzHUsqDM0/jQ=; b=lucLn9CF/xbUJe Z+9Cl/DzlMBngmi+63fP6VIZ95djoJPAt5rKlp153M1scghfkjLCR0M1IylIZ5rjx8NwTZCb02Rdn t8cSrFrVGsW0wZW28fjqCEusiCHWkbQvB91jBShs9avl7kP/478+4aLCOqKCoGPyT8PRI5Boiil4p oF6q5FpS/2NH7xtZFbHXM943yc+Xl0EW20iTdblA9vrYfTzdOdVn12yEKfJcQJ4rGU1iXjdRJCM7n bX33tj4ysgL58rKpdchKMYYsN++WNtyxuLapwuFHJeruG4ZqrZuee3+AyBD4fJgi6IbS2B+1a57/v ZHLSefXq1gfjFVg/jOZw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1eRKZo-0003Zl-UB; Tue, 19 Dec 2017 16:17:08 +0000 Received: from mail-wm0-x241.google.com ([2a00:1450:400c:c09::241]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1eRKYF-0001Ct-AK for hostap@lists.infradead.org; Tue, 19 Dec 2017 16:17:05 +0000 Received: by mail-wm0-x241.google.com with SMTP id t8so4729757wmc.3 for ; Tue, 19 Dec 2017 08:15:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id; bh=uMP5+TYx/4x0GRmF9CG0BYr4dnEJnV+2Z0mxA1OoZJ0=; b=dxixTb1ly6KIXh41YHJhKaoSIPHbdxO8rx2gqhupbodUlTYBO3sEq+gM0zwcoC4uvQ JVUY/TcdW5SiPhV1L7JZ4DdAqfrGln9g7lYHcqz2IeWcH4E1sq985oWYVnjq6MNqyFKQ zSJXMhb83WYJx5HHGuUcA+TlzelL6OuTesCSJD+DFDGTyS9UlNtzIV7ro3BI0dAhrl4V TjAdU5gw4hMzC7BzfUsBuKL5qgxbNs4rxmxoPM7jwfdw7Y5scYE456Sup6tpbxJ7Ekud tCh+1Nl4t9BhTPk/f1QH6gCc/40NmVNQf43jCpd0aYdaG7rPMABRJN9QGWPaj3/S8xSC 8jAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=uMP5+TYx/4x0GRmF9CG0BYr4dnEJnV+2Z0mxA1OoZJ0=; b=VwF1BLrkTKQz8F1NV08tLKWLnuTby8y2bjUx+PqvnxJxQLiwoHRmE6+AvvvAtcgapN X4CN5QY7Un1qMCH+fHGgCqr9spuPrhobIp5oOWgMIe7qQFby64Zh6GXVKOiK1wlGaaWd oCKqdl1Og2R1SX4a2zNUWBeti57uZzlfMT1nUMMT9t8mpepGJtCuiYwH8PDogxSel/3s s7qG74yFrcBR79Z/lHwQvd29xjIeaxJmHLxxT3EdRB4Qv64K+2ayj3M1DyJXop39Nsem XDanjWr1vwvU6OXH0DoYRIWILp4nIHP9Qk8wZQhzf7xcR9tDl+4tRd8pTVXX3XXFy0Fi gYuQ== X-Gm-Message-State: AKGB3mLRGaoEnW+JntmXXTxytTgEg2B+/6YztRFACpu5zxaTwPm5LY55 v28UIkfwtQppoC5CUdVcbA9BFrMo X-Google-Smtp-Source: ACJfBotemYT3gmE6y1VeVKla2XqNfibzAt+9KPBSorKI70N8ODPVLl3UiePenuuF6AWqDHekG2YynQ== X-Received: by 10.28.60.8 with SMTP id j8mr4168809wma.136.1513700117702; Tue, 19 Dec 2017 08:15:17 -0800 (PST) Received: from localhost.localdomain.com (nat-pool-mxp-t.redhat.com. [149.6.153.186]) by smtp.gmail.com with ESMTPSA id r64sm17180539wrb.62.2017.12.19.08.15.16 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 19 Dec 2017 08:15:16 -0800 (PST) From: Davide Caratti To: hostap@lists.infradead.org Subject: [PATCH] wpa_supplicant: don't reply to EAPOL if pkt_type is PACKET_OTHERHOST Date: Tue, 19 Dec 2017 17:04:01 +0100 Message-Id: X-Mailer: git-send-email 2.13.6 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20171219_081532_315934_86432AFD X-CRM114-Status: GOOD ( 11.24 ) X-Spam-Score: -2.0 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:400c:c09:0:0:0:241 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (davide.caratti[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org When wpa_supplicant is running on a Linux interface that is configured in promiscuous mode, and it is not a member of a bridge, incoming EAPOL packets are processed regardless of the Destination Address in the frame. As a consequence, there are situations where wpa_supplicant replies to EAPOL packets that are not destined for it. This behavior seems undesired (see IEEE Std 802.1X-2010, 11.4.a), and can be avoided by attaching a BPF filter that lets the kernel discard packets having pkt_type equal to PACKET_OTHERHOST. Signed-off-by: Davide Caratti --- src/l2_packet/l2_packet.h | 1 + src/l2_packet/l2_packet_linux.c | 22 ++++++++++++++++++++++ wpa_supplicant/wpa_supplicant.c | 5 +++++ 3 files changed, 28 insertions(+) diff --git a/src/l2_packet/l2_packet.h b/src/l2_packet/l2_packet.h index 2a4524582..53871774b 100644 --- a/src/l2_packet/l2_packet.h +++ b/src/l2_packet/l2_packet.h @@ -42,6 +42,7 @@ struct l2_ethhdr { enum l2_packet_filter_type { L2_PACKET_FILTER_DHCP, L2_PACKET_FILTER_NDISC, + L2_PACKET_FILTER_PKTTYPE, }; /** diff --git a/src/l2_packet/l2_packet_linux.c b/src/l2_packet/l2_packet_linux.c index 65b490679..b155bd673 100644 --- a/src/l2_packet/l2_packet_linux.c +++ b/src/l2_packet/l2_packet_linux.c @@ -84,6 +84,25 @@ static const struct sock_fprog ndisc_sock_filter = { .filter = ndisc_sock_filter_insns, }; +/* drop packet if skb->pkt_type is PACKET_OTHERHOST (0x03). Generated by: + * $ bpfc - << -EOF + * > ldb #type + * > jeq #0x03, drop + * > pass: ret #-1 + * > drop: ret #0 + * > -EOF + */ +static struct sock_filter pkt_type_filter_insns[] = { + { 0x30, 0, 0, 0xfffff004 }, + { 0x15, 1, 0, 0x00000003 }, + { 0x6, 0, 0, 0xffffffff }, + { 0x6, 0, 0, 0x00000000 }, +}; + +static const struct sock_fprog pkt_type_sock_filter = { + .len = ARRAY_SIZE(pkt_type_filter_insns), + .filter = pkt_type_filter_insns, +}; int l2_packet_get_own_addr(struct l2_packet_data *l2, u8 *addr) { @@ -471,6 +490,9 @@ int l2_packet_set_packet_filter(struct l2_packet_data *l2, case L2_PACKET_FILTER_NDISC: sock_filter = &ndisc_sock_filter; break; + case L2_PACKET_FILTER_PKTTYPE: + sock_filter = &pkt_type_sock_filter; + break; default: return -1; } diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 984fe02f7..74b4c56d5 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -3962,6 +3962,11 @@ int wpa_supplicant_update_mac_addr(struct wpa_supplicant *wpa_s) wpa_supplicant_rx_eapol, wpa_s, 0); if (wpa_s->l2 == NULL) return -1; + + if (l2_packet_set_packet_filter(wpa_s->l2, + L2_PACKET_FILTER_PKTTYPE)) + wpa_msg(wpa_s, MSG_DEBUG, + "Failed to attach pkt_type filter"); } else { const u8 *addr = wpa_drv_get_mac_addr(wpa_s); if (addr)