[PATCH] The current behaviour of hostapd_das_find_sta() is undesirable as it can result in over broad, potentially insecure matching.

Jouni Malinen j at w1.fi
Sun Mar 6 12:39:58 PST 2016

On Sun, Mar 06, 2016 at 08:23:01PM +0000, Nick Lowe wrote:
> Requiring a match against all the session identifying attributes
> supplied would be fine and, of course, an order of precedence would be
> not applicable and meaningless at this point.
> That would be stricter that what the that patch I submitted does.
> Currently hostapd implements faulty logic such that any session
> identifying attribute that matches is acceptable.
> Herein lies the fault in the implementation.

Could you please be more specific here? The current implementation
matches all the session identifying attributes and requires all of them
to match.

> In the case that more than one session is matched, hostapd currently
> elects to do nothing.

Does nothing is somewhat inaccurate. hostapd rejects the request in such
a case with Error-Cause 508 (Multiple Session Selection Unsupported).

> If this was changed in the future to permit more than one session to
> be matched, this could result in unexpected sessions being changed or
> disconnected.

What would be unexpected? DAC better know what it is doing and if it
does not use specific enough attributes, it'll get what it asks for..

> At present, this may result in expected sessions not being changed or
> disconnected due to multiple sessions being matched.

Only if DAC specified overly flexible identifying attributes. Or do you
have a specific example of attributes where more than a single match
were to be expected?

> Where the User-Name is being sent as a session identifying attribute
> alongside others, this can be manipulated for to cause deliberate
> malfunction of CoA-Request and Disconnect-Request by stations.

How would User-Name alongside others do anything here if the other
attributes are specific enough to find a single match? Even if that
User-Name were to match multiple sessions, only the one also matching
the other, more specific, attributes would be identified.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list