From: Johannes Berg johannes.berg@intel.com
[ Upstream commit d1b1a5eb27c4948e8811cf4dbb05aaf3eb10700c ]
In OCB, don't accept frames from invalid source addresses (and in particular don't try to create stations for them), drop the frames instead.
Reported-by: syzbot+8b512026a7ec10dcbdd9@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/6788d2d9.050a0220.20d369.0028.GAE@google.com/ Signed-off-by: Johannes Berg johannes.berg@intel.com Tested-by: syzbot+8b512026a7ec10dcbdd9@syzkaller.appspotmail.com Link: https://patch.msgid.link/20250616171838.7433379cab5d.I47444d63c72a0bd58d2e2b... Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org ---
**YES**
This commit should be backported to stable kernel trees. Here's my extensive analysis:
## Security Vulnerability Fixed
The commit fixes a clear security vulnerability in OCB (Outside Context of a BSS) mode where frames with invalid source addresses are accepted and processed. Looking at the code change:
```c + /* reject invalid/our STA address */ + if (!is_valid_ether_addr(hdr->addr2) || + ether_addr_equal(sdata->dev->dev_addr, hdr->addr2)) + return false; ```
This adds critical validation that was missing, preventing:
1. **Invalid MAC addresses** (all zeros, broadcast/multicast addresses) from being accepted 2. **Self-spoofing attacks** where frames appear to come from the device's own address
## Comparison with Similar Historical Fixes
This fix follows the exact pattern of Similar Commit #1 (Backport Status: YES): - That commit added `!is_valid_ether_addr(hdr->addr2)` check to ADHOC mode - It fixed WARN_ON spam in `sta_info_insert_check()` - It was deemed suitable for stable backporting
The OCB fix addresses the same class of vulnerability in a different interface mode.
## Impact Without the Fix
Without this validation, the `ieee80211_ocb_rx_no_sta()` function would: 1. Create station entries for invalid addresses 2. Potentially trigger WARN_ON messages causing log spam 3. Allow resource exhaustion attacks by creating many invalid stations 4. Risk crashes or undefined behavior from invalid station entries
## Stable Backport Criteria Met
1. **Fixes a real bug**: Yes - invalid frames are incorrectly accepted 2. **Security impact**: Yes - potential DoS via resource exhaustion 3. **Small and contained**: Yes - adds 4 lines of validation 4. **Clear fix**: Yes - straightforward address validation 5. **No new features**: Correct - only adds missing validation 6. **Tested**: Yes - verified by syzbot
## Not Like the "NO" Examples
Unlike the commits marked for NO backporting: - This is not adding new functionality (like link-addressed frames support) - This is not a code cleanup or optimization - This is fixing a concrete security issue reported by syzbot - This has minimal risk of regression
The fix is essential for OCB mode security and should be backported to all stable kernels that support OCB mode (since 2014).
net/mac80211/rx.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 5eb233f619817..58665b6ae6354 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -4419,6 +4419,10 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx) if (!multicast && !ether_addr_equal(sdata->dev->dev_addr, hdr->addr1)) return false; + /* reject invalid/our STA address */ + if (!is_valid_ether_addr(hdr->addr2) || + ether_addr_equal(sdata->dev->dev_addr, hdr->addr2)) + return false; if (!rx->sta) { int rate_idx; if (status->encoding != RX_ENC_LEGACY)