Re: [PATCH] wifi: mac80211: only accept IBSS channel switch from our own BSSID

[Johannes Berg]

On Tue, 2026-06-23 at 11:10 +0200, Johannes Berg wrote:
> On Tue, 2026-06-23 at 17:04 +0800, Yingjie Cao wrote:
> > ieee80211_rx_bss_info() acts on a channel switch announcement (CSA)
> > carried in a received beacon or probe response before it verifies that
> > the frame's BSSID matches our own IBSS; it only checks that the SSID
> > matches. ieee80211_rx_mgmt_spectrum_mgmt() acts on a spectrum management
> > (channel switch) action frame without checking the BSSID at all.
> > 
> > Because of this, any station in radio range that knows the IBSS SSID
> > (which is broadcast in cleartext) can inject a beacon or action frame
> > carrying a CSA element that points at an unsupported channel. The switch
> > then fails in ieee80211_ibss_process_chanswitch(), which queues
> > csa_connection_drop_work and tears the whole IBSS down. The members
> > rejoin and the attacker repeats, resulting in a persistent,
> > unauthenticated denial of service. Encrypted IBSS networks are equally
> > affected because beacons are not protected. Since both of these CSA
> > entry points are IBSS-specific, the impact is confined to IBSS (ad-hoc)
> > mode; managed-mode CSA is handled separately in mlme.c and is unaffected.
> 
> Once you rewrite this to be more honest, you'll see that the whole Cc
> stable thing and all is fairly much pointless?
> 
> Or have you not realised yet that stations can also trivially fake their
> MAC address?

Also, since you don't have a track record in wifi, I'll point once again
to https://docs.kernel.org/process/coding-assistants.html

johannes