Changeset 1762

Timestamp:

10/23/06 11:11:21 (5 years ago)

Author:

kelmo

Message:

This patch fixes susceptibility to remote abuse of Channel Switch
Announcement Information Elements by injection of Beacon Frame
packets and improves the reliability of channel switch procedure under
conditions of frequent beacon misses.

Currently, channel switch is performed only after receiving Channel Switch
Announcement with Channel Switch Count <= 1. This ensures proper operation
under normal conditions. However, Beacon misses happen (especially if there
is a reason to leave the current channel). If the last Beacon before channel
switch is lost, then STA will remain on the channel. Such a condition is not
fatal, because STA will eventually recover after some time (by scanning for
the BSS and rejoining). It is not optimal, though. The information that a
channel switch is scheduled could have been already known thanks to prior
announcements. Ignoring them is just losing the opportunity to work fluently
under harsh conditions.

Of course it has a drawback. The last (lost) Beacon before scheduled channel
switch could cancel it. If so, then our STA will change the channel, notice
that there is no one to talk to there and then try recover as usual. However,
if we lose last Beacon it is more probable that the channel switch was not
cancelled and thus assuming that we decrease the probability of missing (or
performing an incorrect) channel switch.

BTW It is desirable to pay more attention to received Channel Switch
Announcements to avoid malicious packet injections that can cause a serious
DoS.

Unfortunately, the "BTW" remark appeared to be true. Using extremely simple
packet injection, an attacker can send his own Beacon Frames with Channel
Switch Announcement Information Elements. If he sets CS Count <= 1, then the
client station (madwifi in STA (Managed) mode) follows it blindly and changes
its operating channel. This completely interrupts communication for a
significant period of time (up to 10 seconds) and therefore current design
can be considered as a serious flaw allowing the attacker to perform DoS attack
easily.

The idea to monitor all incoming CSA IEs gives a possibility to avoid such
attacks or at least to reduce their impact to the minimum. Its implementation
has been applied as r962. Its functionality in brief:

• IEEE80211_CSA_PROTECTION_PERIOD has been introduced. It defines the minimal
  Channel Switch Count in the initial packet. This means that the period in
  which Channel Switch is announced cannot be too short. This protects the
  client from switching to another channel after receiving malicious CSA IE
  with Count <= 1.
  
• Interval measurement between subsequent CSA IEs is checked against the
  actual CSA Count drop and the right multiplicity of Beacon Interval. It
  allows to react to injected packets. The actual action is to cancel the
  switch. It is not the ideal solution because now it is easy to enforce
  cancelling the switch. However, not to switch is better than to switch ;D,
  because the worst impact possible is disruption of communication for a few
  seconds needed to scan the band to find the AP. But this can potentially
  happen only when the switch is really going to happen and cannot be
  triggered by the attacker.
  
• CSA parameters (Chan, Mode) are monitored for change.
  
• Channel to switch to is looked up after receiving first CSA IE.
  
• When any proper CSA IE is received, a timer is set up to make the switch
  proceed even though the terminal CSA IE has not arrived. This addresses the
  main task described in the ticket description.
  

The applied changes work fine and do much (if not the most) of what was possible
to ensure proper functioning while using available IEEE802.11h facilities.

Signed-off-by: Michal Wrobel <xmxwx@asn.pl>

Files:

• trunk/net80211/ieee80211.h (modified) (1 diff)
• trunk/net80211/ieee80211_input.c (modified) (3 diffs)
• trunk/net80211/ieee80211_proto.c (modified) (1 diff)
• trunk/net80211/ieee80211_scan.h (modified) (1 diff)
• trunk/net80211/ieee80211_var.h (modified) (2 diffs)

trunk/net80211/ieee80211.h

@@ -373 +373 @@
-} __packed;
-
+/*
+ * Channel Switch Announcement information element.
+ */
+struct ieee80211_ie_csa {
+        u_int8_t csa_id;        /* IEEE80211_ELEMID_CHANSWITCHANN */
+        u_int8_t csa_len;       /* == 3 */
+        u_int8_t csa_mode;      /* Channel Switch Mode: 1 == stop transmission until CS */
+        u_int8_t csa_chan;      /* New Channel Number */
+        u_int8_t csa_count;     /* TBTTs until Channel Switch happens */
+} __packed;
+
+/* minimal Channel Switch Count in the initial announcement */
+#define IEEE80211_CSA_PROTECTION_PERIOD 3
+
+/* maximum allowed deviance of measurement of intervals between CSA in Beacons */
+#define IEEE80211_CSA_SANITY_THRESHOLD 100    
+
+
-/* does frame have QoS sequence control data */
-#define IEEE80211_QOS_HAS_SEQ(wh) \

trunk/net80211/ieee80211_input.c

@@ -2291 +2291 @@
-}
-
+static void
+ieee80211_doth_cancel_cs(struct ieee80211vap *vap)
+{
+        del_timer(&vap->iv_csa_timer);
+        if (vap->iv_csa_jiffies) 
+                IEEE80211_DPRINTF(vap, IEEE80211_MSG_DOTH,
+                                "channel switch cancelled (was: to %u in %u "
+                                "tbtt, mode %u)\n", vap->iv_csa_chan->ic_ieee,
+                                vap->iv_csa_count, vap->iv_csa_mode);
+        vap->iv_csa_jiffies = 0;
+}
+
+static void
+ieee80211_doth_switch_channel(struct ieee80211vap *vap)
+{
+        struct ieee80211com *ic = vap->iv_ic;
+
+        IEEE80211_DPRINTF(vap, IEEE80211_MSG_DOTH,
+                        "%s: Channel switch to %d NOW!\n",
+                        __func__, vap->iv_csa_chan->ic_ieee);
+#if 0
+        /* XXX does not belong here? */
+        /* XXX doesn't stop management frames */
+        /* XXX who restarts the queue? */
+        /* NB: for now, error here is non-catastrophic.
+         *     in the future we may need to ensure we
+         *     stop xmit on this channel.
+         */
+        netif_stop_queue(ic->ic_dev);
+#endif
+
+        vap->iv_csa_jiffies = 0; /* supress "cancel" msg */
+        ieee80211_doth_cancel_cs(vap);
+
+        ic->ic_prevchan = ic->ic_curchan;
+        ic->ic_curchan = ic->ic_bsschan = vap->iv_csa_chan;
+        ic->ic_set_channel(ic);
+}
+
+static void
+ieee80211_doth_switch_channel_tmr(unsigned long arg)
+{
+        struct ieee80211vap *vap = (struct ieee80211vap *)arg;
+        ieee80211_doth_switch_channel(vap);
+}
+
-static int
-dothparams(struct ieee80211vap *vap
+csaie(struct ieee80211_node *ni
-        const struct ieee80211_frame *wh)
-{
+        struct ieee80211vap *vap = ni->ni_vap;
-        struct ieee80211com *ic = vap->iv_ic;
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-                IEEE80211_DISCARD_IE(vap,
-                        IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
-
+
+
-                return -1;
-        }
-
-
+
+sa_ie->csa_c
-                IEEE80211_DISCARD_IE(vap,
-                        IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
-
+
+
-                return -1;
-        }
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
-                                IEEE80211_MSG_ELEMID | IEEE80211_MSG_DOTH,
-                                wh, "channel switch",
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-                        return 0;
-                }
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-        return 0;
-}
@@ -2551 +2693 @@
-                        case IEEE80211_ELEMID_CHANSWITCHANN:
-                                if (ic->ic_flags & IEEE80211_F_DOTH)
-doth
+csa
-                                break;
-                        default:
@@ -2653 +2795 @@
-                        if (scan.ath != NULL)
-                                ieee80211_parse_athParams(ni, scan.ath);
-doth != NULL
-dothparams(vap, scan.doth
+csa != NULL || vap->iv_csa_jiffies
+csaie(ni, scan.csa
-                        if (scan.tim != NULL) {
-                                /*

trunk/net80211/ieee80211_proto.c

@@ -128 +128 @@
-        init_timer(&vap->iv_xrvapstart);
-        init_timer(&vap->iv_swbmiss);
+        init_timer(&vap->iv_csa_timer);
-        vap->iv_mgtsend.function = ieee80211_tx_timeout;
-        vap->iv_mgtsend.data = (unsigned long) vap;

trunk/net80211/ieee80211_scan.h

@@ -139 +139 @@
-        u_int8_t *rates;
-        u_int8_t *xrates;
-doth
+csa
-        u_int8_t *wpa;
-        u_int8_t *rsn;

trunk/net80211/ieee80211_var.h

@@ -88 +88 @@
-#define IEEE80211_TU_TO_MS(x)   (((x) * 1024) / 1000)
-#define IEEE80211_TU_TO_JIFFIES(x) ((IEEE80211_TU_TO_MS(x) * HZ) / 1000)
+#define IEEE80211_JIFFIES_TO_TU(x) IEEE80211_MS_TO_TU((x) * 1000 / HZ)
-
-#define IEEE80211_APPIE_MAX     1024
@@ -349 +350 @@
-        struct ieee80211_roam iv_roam;          /* sta-mode roaming state */
-
+        u_int32_t iv_csa_jiffies;               /* last csa recv jiffies */
+        u_int8_t iv_csa_count;                  /* last csa count */
+        struct ieee80211_channel *iv_csa_chan;  /* last csa channel */
+        u_int8_t iv_csa_mode;                   /* last csa mode */
+        struct timer_list iv_csa_timer;         /* csa timer */
-        u_int32_t *iv_aid_bitmap;               /* association id map */
-        u_int16_t iv_max_aid;