[PATCH] wifi: mac80211: only accept IBSS channel switch from our own BSSID

[PATCH] wifi: mac80211: only accept IBSS channel switch from our own BSSID

[Yingjie Cao]

ieee80211_rx_bss_info() acts on a channel switch announcement (CSA)
carried in a received beacon or probe response before it verifies that
the frame's BSSID matches our own IBSS; it only checks that the SSID
matches. ieee80211_rx_mgmt_spectrum_mgmt() acts on a spectrum management
(channel switch) action frame without checking the BSSID at all.

Because of this, any station in radio range that knows the IBSS SSID
(which is broadcast in cleartext) can inject a beacon or action frame
carrying a CSA element that points at an unsupported channel. The switch
then fails in ieee80211_ibss_process_chanswitch(), which queues
csa_connection_drop_work and tears the whole IBSS down. The members
rejoin and the attacker repeats, resulting in a persistent,
unauthenticated denial of service. Encrypted IBSS networks are equally
affected because beacons are not protected. Since both of these CSA
entry points are IBSS-specific, the impact is confined to IBSS (ad-hoc)
mode; managed-mode CSA is handled separately in mlme.c and is unaffected.

Only honour a channel switch that originates from our own IBSS, i.e.
when the BSSID matches. A CSA carried in a beacon from a foreign BSSID
that merely shares our SSID is now ignored; such a beacon remains a
candidate for the normal IBSS merge path. A channel switch coming from a
station in our own IBSS keeps working exactly as before.

Fixes: cd7760e62c2a ("mac80211: add support for CSA in IBSS mode")
Cc: stable@vger.kernel.org
Signed-off-by: Yingjie Cao <yingjcao@sigvoid.com>
---
 net/mac80211/ibss.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 97292ff51475..6440fd915aa5 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -895,6 +895,10 @@ ieee80211_rx_mgmt_spectrum_mgmt(struct ieee80211_sub_if_data *sdata,
 	if (mgmt->u.action.action_code != WLAN_ACTION_SPCT_CHL_SWITCH)
 		return;
 
+	/* only act on channel switch frames coming from our own IBSS */
+	if (!ether_addr_equal(mgmt->bssid, sdata->u.ibss.bssid))
+		return;
+
 	if (!sdata->vif.bss_conf.csa_active)
 		ieee80211_ibss_process_chanswitch(sdata, elems, false);
 }
@@ -1111,14 +1115,21 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
 				sdata->u.ibss.ssid_len))
 		goto put_bss;
 
-	/* process channel switch */
-	if (sdata->vif.bss_conf.csa_active ||
-	    ieee80211_ibss_process_chanswitch(sdata, elems, true))
+	/* don't process beacons while a channel switch is in progress */
+	if (sdata->vif.bss_conf.csa_active)
 		goto put_bss;
 
 	/* same BSSID */
-	if (ether_addr_equal(cbss->bssid, sdata->u.ibss.bssid))
+	if (ether_addr_equal(cbss->bssid, sdata->u.ibss.bssid)) {
+		/*
+		 * Only act on a channel switch announcement that comes from
+		 * our own IBSS (i.e. matching BSSID). Acting on a CSA from a
+		 * foreign BSSID that merely shares our SSID would let any
+		 * station force us off-channel or tear the cell down.
+		 */
+		ieee80211_ibss_process_chanswitch(sdata, elems, true);
 		goto put_bss;
+	}
 
 	/* we use a fixed BSSID */
 	if (sdata->u.ibss.fixed_bssid)
-- 
2.39.5 (Apple Git-154)

Re: [PATCH] wifi: mac80211: only accept IBSS channel switch from our own BSSID

[Johannes Berg]

On Tue, 2026-06-23 at 17:04 +0800, Yingjie Cao wrote:
> ieee80211_rx_bss_info() acts on a channel switch announcement (CSA)
> carried in a received beacon or probe response before it verifies that
> the frame's BSSID matches our own IBSS; it only checks that the SSID
> matches. ieee80211_rx_mgmt_spectrum_mgmt() acts on a spectrum management
> (channel switch) action frame without checking the BSSID at all.
> 
> Because of this, any station in radio range that knows the IBSS SSID
> (which is broadcast in cleartext) can inject a beacon or action frame
> carrying a CSA element that points at an unsupported channel. The switch
> then fails in ieee80211_ibss_process_chanswitch(), which queues
> csa_connection_drop_work and tears the whole IBSS down. The members
> rejoin and the attacker repeats, resulting in a persistent,
> unauthenticated denial of service. Encrypted IBSS networks are equally
> affected because beacons are not protected. Since both of these CSA
> entry points are IBSS-specific, the impact is confined to IBSS (ad-hoc)
> mode; managed-mode CSA is handled separately in mlme.c and is unaffected.

Once you rewrite this to be more honest, you'll see that the whole Cc
stable thing and all is fairly much pointless?

Or have you not realised yet that stations can also trivially fake their
MAC address?

johannes

Re: [PATCH] wifi: mac80211: only accept IBSS channel switch from our own BSSID

[Johannes Berg]

On Tue, 2026-06-23 at 11:10 +0200, Johannes Berg wrote:
> On Tue, 2026-06-23 at 17:04 +0800, Yingjie Cao wrote:
> > ieee80211_rx_bss_info() acts on a channel switch announcement (CSA)
> > carried in a received beacon or probe response before it verifies that
> > the frame's BSSID matches our own IBSS; it only checks that the SSID
> > matches. ieee80211_rx_mgmt_spectrum_mgmt() acts on a spectrum management
> > (channel switch) action frame without checking the BSSID at all.
> > 
> > Because of this, any station in radio range that knows the IBSS SSID
> > (which is broadcast in cleartext) can inject a beacon or action frame
> > carrying a CSA element that points at an unsupported channel. The switch
> > then fails in ieee80211_ibss_process_chanswitch(), which queues
> > csa_connection_drop_work and tears the whole IBSS down. The members
> > rejoin and the attacker repeats, resulting in a persistent,
> > unauthenticated denial of service. Encrypted IBSS networks are equally
> > affected because beacons are not protected. Since both of these CSA
> > entry points are IBSS-specific, the impact is confined to IBSS (ad-hoc)
> > mode; managed-mode CSA is handled separately in mlme.c and is unaffected.
> 
> Once you rewrite this to be more honest, you'll see that the whole Cc
> stable thing and all is fairly much pointless?
> 
> Or have you not realised yet that stations can also trivially fake their
> MAC address?

Also, since you don't have a track record in wifi, I'll point once again
to https://docs.kernel.org/process/coding-assistants.html

johannes

Re: [PATCH] wifi: mac80211: only accept IBSS channel switch from our own BSSID

[Nathan Howard]

On Tue, Jun 23, 2026 at 11:12:20AM +0200, Johannes Berg wrote:
> On Tue, 2026-06-23 at 11:10 +0200, Johannes Berg wrote:
> > On Tue, 2026-06-23 at 17:04 +0800, Yingjie Cao wrote:
> > > ieee80211_rx_bss_info() acts on a channel switch announcement (CSA)
> > > carried in a received beacon or probe response before it verifies that
> > > the frame's BSSID matches our own IBSS; it only checks that the SSID
> > > matches. ieee80211_rx_mgmt_spectrum_mgmt() acts on a spectrum management
> > > (channel switch) action frame without checking the BSSID at all.
> > > 
> > > Because of this, any station in radio range that knows the IBSS SSID
> > > (which is broadcast in cleartext) can inject a beacon or action frame
> > > carrying a CSA element that points at an unsupported channel. The switch
> > > then fails in ieee80211_ibss_process_chanswitch(), which queues
> > > csa_connection_drop_work and tears the whole IBSS down. The members
> > > rejoin and the attacker repeats, resulting in a persistent,
> > > unauthenticated denial of service. Encrypted IBSS networks are equally
> > > affected because beacons are not protected. Since both of these CSA
> > > entry points are IBSS-specific, the impact is confined to IBSS (ad-hoc)
> > > mode; managed-mode CSA is handled separately in mlme.c and is unaffected.
> > 
> > Once you rewrite this to be more honest, you'll see that the whole Cc
> > stable thing and all is fairly much pointless?
> > 
> > Or have you not realised yet that stations can also trivially fake their
> > MAC address?
> 
> Also, since you don't have a track record in wifi, I'll point once again
> to https://docs.kernel.org/process/coding-assistants.html
>

So, what's the litmus test?  I've been watching this list for some time
now.  I've seen (what appears) to be an ushering of distrust brought
on by llm's.  This also seems to have come into prominence within the last 6 or
so months.  I understand the cautious approach, but what if one's been
working diligently (and quietly), and has spent many hours studying and
preparing a driver series (for oneself and submission to the kernel)?
I've always done well by doing my homework the hard way.  But now,
submissions are met with skepticism... that the work must have been
assisted-by if the person doesn't have a track record.  How should one defend
his work (I'd rather not share credit with a machine when my work is my own)?
To be clear, my question is sourcing from what I've seen to be trending
more recently whereby several submissions have been ?softly? tagged as assisted-by.
Maybe they were, but my point still stands.  Kindly provide guidance.