1
0
mirror of https://github.com/aircrack-ng/rtl8812au.git synced 2024-11-26 15:14:02 +00:00

rtl8812a: do not overwrite sequence number of injected frames

The sequence number of inject frames was being overwritten. This prevents
certain older attacks against WEP fragmentation older TKIP attacks. Fix
this by tracking if a frames was injected in monitor mode, and if so, do
not overwrite its sequence number.

The patch also adds a module parameter to revert this behaviour if needed.
By setting rtw_monitor_overwrite_seqnum to 1, sequence numbers will again
be set by the driver/device. This may by useful if user-space relied on
the driver/device to set sequence numbers.

This patch was tested using an Alfa AWUS036ACH.
This commit is contained in:
Mathy Vanhoef 2020-06-26 09:27:51 +04:00
parent df2b8dfd8c
commit 1b86121806
5 changed files with 17 additions and 2 deletions

View File

@ -4460,6 +4460,7 @@ s32 rtw_monitor_xmit_entry(struct sk_buff *skb, struct net_device *ndev)
/* Check DATA/MGNT frames */ /* Check DATA/MGNT frames */
pwlanhdr = (struct rtw_ieee80211_hdr *)pframe; pwlanhdr = (struct rtw_ieee80211_hdr *)pframe;
pattrib = &pmgntframe->attrib; pattrib = &pmgntframe->attrib;
pattrib->injected = _TRUE;
if (pregpriv->monitor_disable_1m) { if (pregpriv->monitor_disable_1m) {

View File

@ -60,6 +60,7 @@ static s32 update_txdesc(struct xmit_frame *pxmitframe, u8 *pmem, s32 sz , u8 ba
#endif/*CONFIG_80211N_HT*/ #endif/*CONFIG_80211N_HT*/
u8 vht_max_ampdu_size = 0; u8 vht_max_ampdu_size = 0;
struct dvobj_priv *pdvobjpriv = adapter_to_dvobj(padapter); struct dvobj_priv *pdvobjpriv = adapter_to_dvobj(padapter);
struct registry_priv *pregpriv = &(padapter->registrypriv);
#ifndef CONFIG_USE_USB_BUFFER_ALLOC_TX #ifndef CONFIG_USE_USB_BUFFER_ALLOC_TX
if (padapter->registrypriv.mp_mode == 0) { if (padapter->registrypriv.mp_mode == 0) {
@ -115,10 +116,16 @@ static s32 update_txdesc(struct xmit_frame *pxmitframe, u8 *pmem, s32 sz , u8 ba
/* offset 12 */ /* offset 12 */
if (!pattrib->qos_en) { if (pattrib->injected == _TRUE && !pregpriv->monitor_overwrite_seqnum) {
/* Prevent sequence number from being overwritten */
SET_TX_DESC_HWSEQ_EN_8812(ptxdesc, 0); /* Hw do not set sequence number */
SET_TX_DESC_SEQ_8812(ptxdesc, pattrib->seqnum); /* Copy inject sequence number to TxDesc */
}
else if (!pattrib->qos_en) {
SET_TX_DESC_HWSEQ_EN_8812(ptxdesc, 1); /* Hw set sequence number */ SET_TX_DESC_HWSEQ_EN_8812(ptxdesc, 1); /* Hw set sequence number */
} else } else {
SET_TX_DESC_SEQ_8812(ptxdesc, pattrib->seqnum); SET_TX_DESC_SEQ_8812(ptxdesc, pattrib->seqnum);
}
if ((pxmitframe->frame_tag & 0x0f) == DATA_FRAMETAG) { if ((pxmitframe->frame_tag & 0x0f) == DATA_FRAMETAG) {
/* RTW_INFO("pxmitframe->frame_tag == DATA_FRAMETAG\n"); */ /* RTW_INFO("pxmitframe->frame_tag == DATA_FRAMETAG\n"); */

View File

@ -458,6 +458,7 @@ struct registry_priv {
u8 tdmadig_dynamic; u8 tdmadig_dynamic;
#endif/*CONFIG_TDMADIG*/ #endif/*CONFIG_TDMADIG*/
u8 monitor_overwrite_seqnum;
u8 monitor_disable_1m; u8 monitor_disable_1m;
}; };

View File

@ -465,6 +465,7 @@ struct pkt_attrib {
#endif /* CONFIG_WMMPS_STA */ #endif /* CONFIG_WMMPS_STA */
struct sta_info *psta; struct sta_info *psta;
u8 injected;
u8 rtsen; u8 rtsen;
u8 cts2self; u8 cts2self;

View File

@ -72,6 +72,10 @@ int rtw_scan_mode = 1;/* active, passive */
int rtw_lps_chk_by_tp = 0; int rtw_lps_chk_by_tp = 0;
#endif /* CONFIG_POWER_SAVING */ #endif /* CONFIG_POWER_SAVING */
int rtw_monitor_overwrite_seqnum = 0;
module_param(rtw_monitor_overwrite_seqnum, int, 0644);
MODULE_PARM_DESC(rtw_monitor_overwrite_seqnum, "Overwrite the sequence number of injected frames");
int rtw_monitor_disable_1m = 0; int rtw_monitor_disable_1m = 0;
module_param(rtw_monitor_disable_1m, int, 0644); module_param(rtw_monitor_disable_1m, int, 0644);
MODULE_PARM_DESC(rtw_monitor_disable_1m, "Disable default 1Mbps rate for monitor injected frames"); MODULE_PARM_DESC(rtw_monitor_disable_1m, "Disable default 1Mbps rate for monitor injected frames");
@ -1223,6 +1227,7 @@ uint loadparam(_adapter *padapter)
registry_par->fw_tbtt_rpt = rtw_tbtt_rpt; registry_par->fw_tbtt_rpt = rtw_tbtt_rpt;
#endif #endif
registry_par->monitor_overwrite_seqnum = (u8)rtw_monitor_overwrite_seqnum;
registry_par->monitor_disable_1m = (u8)rtw_monitor_disable_1m; registry_par->monitor_disable_1m = (u8)rtw_monitor_disable_1m;
return status; return status;