ipv4: add option to drop unicast encapsulated in L2 multicast

In order to solve a problem with 802.11, the so-called hole-196 attack,
add an option (sysctl) called "drop_unicast_in_l2_multicast" which, if
enabled, causes the stack to drop IPv4 unicast packets encapsulated in
link-layer multi- or broadcast frames. Such frames can (as an attack)
be created by any member of the same wireless network and transmitted
as valid encrypted frames since the symmetric key for broadcast frames
is shared between all stations.

Additionally, enabling this option provides compliance with a SHOULD
clause of RFC 1122.

Reviewed-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index 73b36d7c7b0d67309cce7bf0bd8a46f0c6ee7ea1..d5910d63214d8105838bc988e57222abbfc57122 100644 (file)
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1216,6 +1216,13 @@ promote_secondaries - BOOLEAN
        promote a corresponding secondary IP address instead of
        removing all the corresponding secondary IP addresses.
 
+drop_unicast_in_l2_multicast - BOOLEAN
+       Drop any unicast IP packets that are received in link-layer
+       multicast (or broadcast) frames.
+       This behavior (for multicast) is actually a SHOULD in RFC
+       1122, but is disabled by default for compatibility reasons.
+       Default: off (0)
+
 
 tag - INTEGER
        Allows you to write a number, which can be used as required.

diff --git a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
index 08f894d2ddbd9cf21b423a0dbac7c73b6b105846..584834f7e95c9e369223bce87b55e8a1c6700c46 100644 (file)
--- a/include/uapi/linux/ip.h
+++ b/include/uapi/linux/ip.h
@@ -165,6 +165,7 @@ enum
        IPV4_DEVCONF_IGMPV2_UNSOLICITED_REPORT_INTERVAL,
        IPV4_DEVCONF_IGMPV3_UNSOLICITED_REPORT_INTERVAL,
        IPV4_DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN,
+       IPV4_DEVCONF_DROP_UNICAST_IN_L2_MULTICAST,
        __IPV4_DEVCONF_MAX
 };
 

diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index cebd9d31e65a4a7539cab0bef71887736bc188f7..dbbab28a52a4947a354e2d0de32532430d7eb6d5 100644 (file)
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -2192,6 +2192,8 @@ static struct devinet_sysctl_table {
                                              "promote_secondaries"),
                DEVINET_SYSCTL_FLUSHING_ENTRY(ROUTE_LOCALNET,
                                              "route_localnet"),
+               DEVINET_SYSCTL_FLUSHING_ENTRY(DROP_UNICAST_IN_L2_MULTICAST,
+                                             "drop_unicast_in_l2_multicast"),
        },
 };
 

diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index d77eb0c3b6842bc5605a882f9ad46c609dcdeb50..852002f64c68455474123f5bb66abb0bd5583e41 100644 (file)
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -362,8 +362,31 @@ static int ip_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
        rt = skb_rtable(skb);
        if (rt->rt_type == RTN_MULTICAST) {
                IP_UPD_PO_STATS_BH(net, IPSTATS_MIB_INMCAST, skb->len);
-       } else if (rt->rt_type == RTN_BROADCAST)
+       } else if (rt->rt_type == RTN_BROADCAST) {
                IP_UPD_PO_STATS_BH(net, IPSTATS_MIB_INBCAST, skb->len);
+       } else if (skb->pkt_type == PACKET_BROADCAST ||
+                  skb->pkt_type == PACKET_MULTICAST) {
+               struct in_device *in_dev = __in_dev_get_rcu(skb->dev);
+
+               /* RFC 1122 3.3.6:
+                *
+                *   When a host sends a datagram to a link-layer broadcast
+                *   address, the IP destination address MUST be a legal IP
+                *   broadcast or IP multicast address.
+                *
+                *   A host SHOULD silently discard a datagram that is received
+                *   via a link-layer broadcast (see Section 2.4) but does not
+                *   specify an IP multicast or broadcast destination address.
+                *
+                * This doesn't explicitly say L2 *broadcast*, but broadcast is
+                * in a way a form of multicast and the most common use case for
+                * this is 802.11 protecting against cross-station spoofing (the
+                * so-called "hole-196" attack) so do it for both.
+                */
+               if (in_dev &&
+                   IN_DEV_ORCONF(in_dev, DROP_UNICAST_IN_L2_MULTICAST))
+                       goto drop;
+       }
 
        return dst_input(skb);