From ee3a044b757d43a16340096cd9f4185a41ff3d9c Mon Sep 17 00:00:00 2001
From: Denis Kenzior <denkenz@gmail.com>
Date: Tue, 10 May 2022 16:03:54 -0500
Subject: [PATCH] eapol: authenticator: Drop unencrypted EAPoL frames

After the initial handshake, once the TK has been installed, all frames
coming to the AP should be encrypted.  However, it seems that some
kernel/driver combinations allow unencrypted EAPoL frames to be received
and forwarded to userspace.  This can lead to various attacks.

Some drivers can report whether the EAPoL frame has been received
unencrypted.  Use this information to drop unencrypted EAPoL frames
received after the initial handshake has been completed.
---
 src/eapol.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/eapol.c b/src/eapol.c
index 45bfaa8a..9f885d02 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -2547,6 +2547,11 @@ static void eapol_rx_auth_packet(uint16_t proto, const uint8_t *from,
 	if (proto != ETH_P_PAE || memcmp(from, sm->handshake->spa, 6))
 		return;
 
+	if (sm->handshake->ptk_complete && noencrypt) {
+		l_debug("Dropping unexpected unencrypted EAPoL frame");
+		return;
+	}
+
 	switch (frame->header.packet_type) {
 	case 0:	/* EAPOL-EAP */
 		if (!sm->eap) {