| Message ID | 20220824055744.19906-1-wangxinpeng@uniontech.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | eapol: ignore response in workarond mode | expand |
On Wed, Aug 24, 2022 at 01:57:44PM +0800, xinpeng wang wrote: > During eap authentication, the supplier sends the response to the address > 01:80:c2:00:00:03, the PAE group address. > Some switches will broadcast messages sent to this address, which will > cause the devices under the same switch to receive these response packets, > which will cause the device's eap state machine to migrate incorrectly, > resulting in repeated authentication or slow authentication. > diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c > @@ -1365,6 +1365,11 @@ int eapol_sm_rx_eapol(struct eapol_sm *sm, const u8 *src, const u8 *buf, > + if (plen >= sizeof(*ehdr) && ehdr->code == EAP_CODE_RESPONSE) { > + wpa_printf(MSG_DEBUG, "EAPOL: Ignore EAP packet with response"); > + break; > + } This is problematic because of a special corner case with LEAP which actually uses an EAP-Response message from the server to the client. In other words, this proposed change would break LEAP. I guess this could be made even a worse layer violation within the workaround code by looking at the type field following the EAP header and skipping this here only if the type is not EAP_TYPE_LEAP. That would not be exactly pretty from the view point of EAPOL layer supposedly being independent of the EAP layer, but I guess that could be an acceptable workaround for this.
diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c index 0bfe3c970..3c03a433c 100644 --- a/src/eapol_supp/eapol_supp_sm.c +++ b/src/eapol_supp/eapol_supp_sm.c @@ -1365,6 +1365,11 @@ int eapol_sm_rx_eapol(struct eapol_sm *sm, const u8 *src, const u8 *buf, wpa_printf(MSG_DEBUG, "EAPOL: Ignore EAP packet with unknown code 10"); break; } + + if (plen >= sizeof(*ehdr) && ehdr->code == EAP_CODE_RESPONSE) { + wpa_printf(MSG_DEBUG, "EAPOL: Ignore EAP packet with response"); + break; + } } if (sm->cached_pmk) {
During eap authentication, the supplier sends the response to the address 01:80:c2:00:00:03, the PAE group address. Some switches will broadcast messages sent to this address, which will cause the devices under the same switch to receive these response packets, which will cause the device's eap state machine to migrate incorrectly, resulting in repeated authentication or slow authentication. Signed-off-by: xinpeng wang <wangxinpeng@uniontech.com> --- src/eapol_supp/eapol_supp_sm.c | 5 +++++ 1 file changed, 5 insertions(+)