From patchwork Fri Aug 4 07:03:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stijn Tintel X-Patchwork-Id: 1816817 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=ZEn6HUyn; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=linux-ipv6.be header.i=@linux-ipv6.be header.a=rsa-sha256 header.s=502B7754-045F-11E5-BBC5-64595FD46BE8 header.b=c5nT5dSh; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RHGwy0Yqzz1yYl for ; Fri, 4 Aug 2023 17:06:57 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=/fAfuRdUonvyK+sqfDU4p++zkjJPZxl+I+ALTObVC1s=; b=ZEn6HUynVPcLsz mICV6f4z7tHW5WjEMjSxG0nhNZ6fmmA62Q6OAHjrVgS4bd+6S7AuddE5Qy4sYoyFmMUA6FFEnpRnR Z8yM1dv9IOjnBkgZcfpy+ve6YWGPMv8MeDi9NnPNf6nZj2WcJG6z6KL5utTr1TGS+jgngAMNd8YgB 2htB505zEZXdpNOAZuCQjmaqRnPMyWzviHP0hjqfbcY9DiX/+hOGDkTw3zHXATY2UzgXp2Sxkn/94 EZPvZzCovlUw0dei9MqlH8ozGKArkN2B4CmbNf679vwnnKcDsYQ25ssVGi8/oiy4lU41JVBMogU4o jnrgtVj0krsG2fm7VTfg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qRoqm-00BjPW-36; Fri, 04 Aug 2023 07:03:52 +0000 Received: from mail.tintel.eu ([2001:41d0:a:6e77:0:ff:fe5c:6a54]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qRoqj-00BjLc-1n for openwrt-devel@lists.openwrt.org; Fri, 04 Aug 2023 07:03:51 +0000 Received: from localhost (localhost [IPv6:::1]) by mail.tintel.eu (Postfix) with ESMTP id 820F943593DC; Fri, 4 Aug 2023 09:03:33 +0200 (CEST) Received: from mail.tintel.eu ([IPv6:::1]) by localhost (mail.tintel.eu [IPv6:::1]) (amavis, port 10032) with ESMTP id iobWO3L_wbNE; Fri, 4 Aug 2023 09:03:32 +0200 (CEST) Received: from localhost (localhost [IPv6:::1]) by mail.tintel.eu (Postfix) with ESMTP id 9E044435AB67; Fri, 4 Aug 2023 09:03:32 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tintel.eu 9E044435AB67 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-ipv6.be; s=502B7754-045F-11E5-BBC5-64595FD46BE8; t=1691132612; bh=GCsOMIrogOzysPVYyro8MSEPsHn61VHnbS/BXOU4uGM=; h=From:To:Date:Message-ID:MIME-Version; b=c5nT5dShz40TgNJlHbaXBFdjyUWEatf4PAApzQJqqUBxXxWlIb8OhxhFQrK/EDxbs IzuNfsP4pjsO/WxJIa4AWPxtUGtXwa7NsR187LSjTatiIGf6QQWnHesWd/qAYKGEvZ Ljh8Yca72mFG7EGV5Emf2LhaMwaxj5EJp0fmxKZM= X-Virus-Scanned: amavis at mail.tintel.eu Received: from mail.tintel.eu ([IPv6:::1]) by localhost (mail.tintel.eu [IPv6:::1]) (amavis, port 10026) with ESMTP id vd5P7lCzTR2f; Fri, 4 Aug 2023 09:03:32 +0200 (CEST) Received: from taz.sof.bg.adlevio.net (unknown [IPv6:2001:67c:21bc:20::10]) by mail.tintel.eu (Postfix) with ESMTPS id EEE9543593DC; Fri, 4 Aug 2023 09:03:31 +0200 (CEST) From: stijn@linux-ipv6.be To: openwrt-devel@lists.openwrt.org Cc: nbd@nbd.name Subject: [PATCH] hostapd: revert upstream commit to fix #13156 Date: Fri, 4 Aug 2023 10:03:10 +0300 Message-ID: <20230804070310.1747317-1-stijn@linux-ipv6.be> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 X-Rspamd-Pre-Result: action=no action; module=multimap; Matched map: IP_WHITELIST X-Rspamd-Queue-Id: EEE9543593DC X-Spamd-Result: default: False [0.39 / 15.00]; R_MISSING_CHARSET(0.50)[]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_NO_DN(0.00)[]; ARC_NA(0.00)[]; IP_WHITELIST(0.00)[2001:67c:21bc:20::10]; R_SPF_DNSFAIL(0.00)[DNS failed]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+] X-Rspamd-Action: no action X-Rspamd-Server: skulls X-Rspamd-Pre-Result: action=no action; module=multimap; Matched map: IP_WHITELIST X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230804_000349_869914_B709E358 X-CRM114-Status: GOOD ( 14.81 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Commit e978072baaca ("Do prune_association only after the STA is authorized") causes issues when an STA roams from one interface to another interface on the same PHY. The mt7915 driver is not able to [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Commit e978072baaca ("Do prune_association only after the STA is authorized") causes issues when an STA roams from one interface to another interface on the same PHY. The mt7915 driver is not able to handle this properly. While the commits fixes a DoS, there are other devices and drivers with the same limitation, so revert to the orginal behavior for now, until we have a better solution in place. Fixes: #13156 Signed-off-by: Stijn Tintel --- .../patches/991-Fix-OpenWrt-13156.patch | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 package/network/services/hostapd/patches/991-Fix-OpenWrt-13156.patch diff --git a/package/network/services/hostapd/patches/991-Fix-OpenWrt-13156.patch b/package/network/services/hostapd/patches/991-Fix-OpenWrt-13156.patch new file mode 100644 index 0000000000..671b8ffecd --- /dev/null +++ b/package/network/services/hostapd/patches/991-Fix-OpenWrt-13156.patch @@ -0,0 +1,63 @@ +From 26cd9bafc1d25e602952ee86cd2a5b8c3a995490 Mon Sep 17 00:00:00 2001 +From: Stijn Tintel +Date: Fri, 28 Jul 2023 16:27:47 +0300 +Subject: [PATCH] Revert "Do prune_association only after the STA is + authorized" + +Commit e978072baaca ("Do prune_association only after the STA is +authorized") causes issues when an STA roams from one interface to +another interface on the same PHY. The mt7915 driver is not able to +handle this properly. While the commits fixes a DoS, there are other +devices and drivers with the same limitation, so revert to the orginal +behavior for now, until we have a better solution in place. + +Ref: https://github.com/openwrt/openwrt/issues/13156 +Signed-off-by: Stijn Tintel +--- + src/ap/hostapd.c | 14 +++++++++++--- + src/ap/sta_info.c | 3 --- + 2 files changed, 11 insertions(+), 6 deletions(-) + +--- a/src/ap/hostapd.c ++++ b/src/ap/hostapd.c +@@ -3619,6 +3619,8 @@ int hostapd_remove_iface(struct hapd_int + void hostapd_new_assoc_sta(struct hostapd_data *hapd, struct sta_info *sta, + int reassoc) + { ++ int mld_assoc_link_id = -1; ++ + if (hapd->tkip_countermeasures) { + hostapd_drv_sta_deauth(hapd, sta->addr, + WLAN_REASON_MICHAEL_MIC_FAILURE); +@@ -3626,10 +3628,16 @@ void hostapd_new_assoc_sta(struct hostap + } + + #ifdef CONFIG_IEEE80211BE +- if (hapd->conf->mld_ap && sta->mld_info.mld_sta && +- sta->mld_assoc_link_id != hapd->mld_link_id) +- return; ++ if (hapd->conf->mld_ap && sta->mld_info.mld_sta) { ++ if (sta->mld_assoc_link_id == hapd->mld_link_id) { ++ mld_assoc_link_id = sta->mld_assoc_link_id; ++ } else { ++ return; ++ } ++ } + #endif /* CONFIG_IEEE80211BE */ ++ if (mld_assoc_link_id != -2) ++ hostapd_prune_associations(hapd, sta->addr, mld_assoc_link_id); + + ap_sta_clear_disconnect_timeouts(hapd, sta); + sta->post_csa_sa_query = 0; +--- a/src/ap/sta_info.c ++++ b/src/ap/sta_info.c +@@ -1318,9 +1318,6 @@ void ap_sta_set_authorized(struct hostap + mld_assoc_link_id = -2; + } + #endif /* CONFIG_IEEE80211BE */ +- if (mld_assoc_link_id != -2) +- hostapd_prune_associations(hapd, sta->addr, +- mld_assoc_link_id); + sta->flags |= WLAN_STA_AUTHORIZED; + } else { + sta->flags &= ~WLAN_STA_AUTHORIZED;