Re: [PATCH] wifi: mac80211: only accept IBSS channel switch from our own BSSID

Next message: Aksh Garg: "[PATCH v6 0/4] PCI: Add DOE support for endpoint"
Previous message: Aksh Garg: "[PATCH v6 3/4] PCI: endpoint: Add support for DOE initialization and setup in EPC core"
In reply to: Yingjie Cao: "[PATCH] wifi: mac80211: only accept IBSS channel switch from our own BSSID"
Next in thread: Johannes Berg: "Re: [PATCH] wifi: mac80211: only accept IBSS channel switch from our own BSSID"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johannes Berg

Date: Tue Jun 23 2026 - 05:14:16 EST

On Tue, 2026-06-23 at 17:04 +0800, Yingjie Cao wrote:
> ieee80211_rx_bss_info() acts on a channel switch announcement (CSA)
> carried in a received beacon or probe response before it verifies that
> the frame's BSSID matches our own IBSS; it only checks that the SSID
> matches. ieee80211_rx_mgmt_spectrum_mgmt() acts on a spectrum management
> (channel switch) action frame without checking the BSSID at all.
>
> Because of this, any station in radio range that knows the IBSS SSID
> (which is broadcast in cleartext) can inject a beacon or action frame
> carrying a CSA element that points at an unsupported channel. The switch
> then fails in ieee80211_ibss_process_chanswitch(), which queues
> csa_connection_drop_work and tears the whole IBSS down. The members
> rejoin and the attacker repeats, resulting in a persistent,
> unauthenticated denial of service. Encrypted IBSS networks are equally
> affected because beacons are not protected. Since both of these CSA
> entry points are IBSS-specific, the impact is confined to IBSS (ad-hoc)
> mode; managed-mode CSA is handled separately in mlme.c and is unaffected.

Once you rewrite this to be more honest, you'll see that the whole Cc
stable thing and all is fairly much pointless?

Or have you not realised yet that stations can also trivially fake their
MAC address?

johannes