[PATCH] The current behaviour of hostapd_das_find_sta() is undesirable as it can result in over broad, potentially insecure matching.

Jouni Malinen j at w1.fi
Sun Mar 6 12:39:58 PST 2016


On Sun, Mar 06, 2016 at 08:23:01PM +0000, Nick Lowe wrote:
> Requiring a match against all the session identifying attributes
> supplied would be fine and, of course, an order of precedence would be
> not applicable and meaningless at this point.
> That would be stricter that what the that patch I submitted does.
> 
> Currently hostapd implements faulty logic such that any session
> identifying attribute that matches is acceptable.
> Herein lies the fault in the implementation.

Could you please be more specific here? The current implementation
matches all the session identifying attributes and requires all of them
to match.

> In the case that more than one session is matched, hostapd currently
> elects to do nothing.

Does nothing is somewhat inaccurate. hostapd rejects the request in such
a case with Error-Cause 508 (Multiple Session Selection Unsupported).

> If this was changed in the future to permit more than one session to
> be matched, this could result in unexpected sessions being changed or
> disconnected.

What would be unexpected? DAC better know what it is doing and if it
does not use specific enough attributes, it'll get what it asks for..

> At present, this may result in expected sessions not being changed or
> disconnected due to multiple sessions being matched.

Only if DAC specified overly flexible identifying attributes. Or do you
have a specific example of attributes where more than a single match
were to be expected?

> Where the User-Name is being sent as a session identifying attribute
> alongside others, this can be manipulated for to cause deliberate
> malfunction of CoA-Request and Disconnect-Request by stations.

How would User-Name alongside others do anything here if the other
attributes are specific enough to find a single match? Even if that
User-Name were to match multiple sessions, only the one also matching
the other, more specific, attributes would be identified.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list