diff options
author | Johannes Berg <johannes@sipsolutions.net> | 2007-08-28 17:01:52 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-10-10 19:48:42 -0400 |
commit | 1a84f3fd141d2105d80290316bfa772ba34e9c64 (patch) | |
tree | 725c7aea7e8b88815d9c64b7a1e3f10858473574 /net | |
parent | aaa92e9a743c740005d8a592dbc1b3ca310d35b5 (diff) |
[MAC80211]: ratelimit some RX messages
Many if not all of these messages can be triggered by sending
a few rogue frames which is trivially done and then we overflow
our logs.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Acked-by: Michael Wu <flamingice@sourmilk.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/mac80211/rx.c | 122 |
1 files changed, 74 insertions, 48 deletions
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 01176ba52df4..7a6e60fcf9d0 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c | |||
@@ -336,13 +336,16 @@ ieee80211_rx_h_load_key(struct ieee80211_txrx_data *rx) | |||
336 | if (!rx->key) { | 336 | if (!rx->key) { |
337 | if (!rx->u.rx.ra_match) | 337 | if (!rx->u.rx.ra_match) |
338 | return TXRX_DROP; | 338 | return TXRX_DROP; |
339 | printk(KERN_DEBUG "%s: RX WEP frame with " | 339 | if (net_ratelimit()) |
340 | "unknown keyidx %d (A1=" MAC_FMT " A2=" | 340 | printk(KERN_DEBUG "%s: RX WEP frame " |
341 | MAC_FMT " A3=" MAC_FMT ")\n", | 341 | "with unknown keyidx %d " |
342 | rx->dev->name, keyidx, | 342 | "(A1=" MAC_FMT |
343 | MAC_ARG(hdr->addr1), | 343 | " A2=" MAC_FMT |
344 | MAC_ARG(hdr->addr2), | 344 | " A3=" MAC_FMT ")\n", |
345 | MAC_ARG(hdr->addr3)); | 345 | rx->dev->name, keyidx, |
346 | MAC_ARG(hdr->addr1), | ||
347 | MAC_ARG(hdr->addr2), | ||
348 | MAC_ARG(hdr->addr3)); | ||
346 | if (!rx->local->apdev) | 349 | if (!rx->local->apdev) |
347 | return TXRX_DROP; | 350 | return TXRX_DROP; |
348 | ieee80211_rx_mgmt( | 351 | ieee80211_rx_mgmt( |
@@ -526,16 +529,18 @@ ieee80211_rx_h_wep_decrypt(struct ieee80211_txrx_data *rx) | |||
526 | return TXRX_CONTINUE; | 529 | return TXRX_CONTINUE; |
527 | 530 | ||
528 | if (!rx->key) { | 531 | if (!rx->key) { |
529 | printk(KERN_DEBUG "%s: RX WEP frame, but no key set\n", | 532 | if (net_ratelimit()) |
530 | rx->dev->name); | 533 | printk(KERN_DEBUG "%s: RX WEP frame, but no key set\n", |
534 | rx->dev->name); | ||
531 | return TXRX_DROP; | 535 | return TXRX_DROP; |
532 | } | 536 | } |
533 | 537 | ||
534 | if (!(rx->u.rx.status->flag & RX_FLAG_DECRYPTED) || | 538 | if (!(rx->u.rx.status->flag & RX_FLAG_DECRYPTED) || |
535 | rx->key->force_sw_encrypt) { | 539 | rx->key->force_sw_encrypt) { |
536 | if (ieee80211_wep_decrypt(rx->local, rx->skb, rx->key)) { | 540 | if (ieee80211_wep_decrypt(rx->local, rx->skb, rx->key)) { |
537 | printk(KERN_DEBUG "%s: RX WEP frame, decrypt " | 541 | if (net_ratelimit()) |
538 | "failed\n", rx->dev->name); | 542 | printk(KERN_DEBUG "%s: RX WEP frame, decrypt " |
543 | "failed\n", rx->dev->name); | ||
539 | return TXRX_DROP; | 544 | return TXRX_DROP; |
540 | } | 545 | } |
541 | } else if (rx->local->hw.flags & IEEE80211_HW_WEP_INCLUDE_IV) { | 546 | } else if (rx->local->hw.flags & IEEE80211_HW_WEP_INCLUDE_IV) { |
@@ -692,12 +697,15 @@ ieee80211_rx_h_defragment(struct ieee80211_txrx_data *rx) | |||
692 | } | 697 | } |
693 | rpn = rx->key->u.ccmp.rx_pn[rx->u.rx.queue]; | 698 | rpn = rx->key->u.ccmp.rx_pn[rx->u.rx.queue]; |
694 | if (memcmp(pn, rpn, CCMP_PN_LEN) != 0) { | 699 | if (memcmp(pn, rpn, CCMP_PN_LEN) != 0) { |
695 | printk(KERN_DEBUG "%s: defrag: CCMP PN not sequential" | 700 | if (net_ratelimit()) |
696 | " A2=" MAC_FMT " PN=%02x%02x%02x%02x%02x%02x " | 701 | printk(KERN_DEBUG "%s: defrag: CCMP PN not " |
697 | "(expected %02x%02x%02x%02x%02x%02x)\n", | 702 | "sequential A2=" MAC_FMT |
698 | rx->dev->name, MAC_ARG(hdr->addr2), | 703 | " PN=%02x%02x%02x%02x%02x%02x " |
699 | rpn[0], rpn[1], rpn[2], rpn[3], rpn[4], rpn[5], | 704 | "(expected %02x%02x%02x%02x%02x%02x)\n", |
700 | pn[0], pn[1], pn[2], pn[3], pn[4], pn[5]); | 705 | rx->dev->name, MAC_ARG(hdr->addr2), |
706 | rpn[0], rpn[1], rpn[2], rpn[3], rpn[4], | ||
707 | rpn[5], pn[0], pn[1], pn[2], pn[3], | ||
708 | pn[4], pn[5]); | ||
701 | return TXRX_DROP; | 709 | return TXRX_DROP; |
702 | } | 710 | } |
703 | memcpy(entry->last_pn, pn, CCMP_PN_LEN); | 711 | memcpy(entry->last_pn, pn, CCMP_PN_LEN); |
@@ -875,8 +883,9 @@ ieee80211_rx_h_drop_unencrypted(struct ieee80211_txrx_data *rx) | |||
875 | (rx->key || rx->sdata->drop_unencrypted) && | 883 | (rx->key || rx->sdata->drop_unencrypted) && |
876 | (rx->sdata->eapol == 0 || | 884 | (rx->sdata->eapol == 0 || |
877 | !ieee80211_is_eapol(rx->skb)))) { | 885 | !ieee80211_is_eapol(rx->skb)))) { |
878 | printk(KERN_DEBUG "%s: RX non-WEP frame, but expected " | 886 | if (net_ratelimit()) |
879 | "encryption\n", rx->dev->name); | 887 | printk(KERN_DEBUG "%s: RX non-WEP frame, but expected " |
888 | "encryption\n", rx->dev->name); | ||
880 | return TXRX_DROP; | 889 | return TXRX_DROP; |
881 | } | 890 | } |
882 | return TXRX_CONTINUE; | 891 | return TXRX_CONTINUE; |
@@ -922,10 +931,15 @@ ieee80211_rx_h_data(struct ieee80211_txrx_data *rx) | |||
922 | 931 | ||
923 | if (unlikely(sdata->type != IEEE80211_IF_TYPE_AP && | 932 | if (unlikely(sdata->type != IEEE80211_IF_TYPE_AP && |
924 | sdata->type != IEEE80211_IF_TYPE_VLAN)) { | 933 | sdata->type != IEEE80211_IF_TYPE_VLAN)) { |
925 | printk(KERN_DEBUG "%s: dropped ToDS frame (BSSID=" | 934 | if (net_ratelimit()) |
926 | MAC_FMT " SA=" MAC_FMT " DA=" MAC_FMT ")\n", | 935 | printk(KERN_DEBUG "%s: dropped ToDS frame " |
927 | dev->name, MAC_ARG(hdr->addr1), | 936 | "(BSSID=" MAC_FMT |
928 | MAC_ARG(hdr->addr2), MAC_ARG(hdr->addr3)); | 937 | " SA=" MAC_FMT |
938 | " DA=" MAC_FMT ")\n", | ||
939 | dev->name, | ||
940 | MAC_ARG(hdr->addr1), | ||
941 | MAC_ARG(hdr->addr2), | ||
942 | MAC_ARG(hdr->addr3)); | ||
929 | return TXRX_DROP; | 943 | return TXRX_DROP; |
930 | } | 944 | } |
931 | break; | 945 | break; |
@@ -935,12 +949,16 @@ ieee80211_rx_h_data(struct ieee80211_txrx_data *rx) | |||
935 | memcpy(src, hdr->addr4, ETH_ALEN); | 949 | memcpy(src, hdr->addr4, ETH_ALEN); |
936 | 950 | ||
937 | if (unlikely(sdata->type != IEEE80211_IF_TYPE_WDS)) { | 951 | if (unlikely(sdata->type != IEEE80211_IF_TYPE_WDS)) { |
938 | printk(KERN_DEBUG "%s: dropped FromDS&ToDS frame (RA=" | 952 | if (net_ratelimit()) |
939 | MAC_FMT " TA=" MAC_FMT " DA=" MAC_FMT " SA=" | 953 | printk(KERN_DEBUG "%s: dropped FromDS&ToDS " |
940 | MAC_FMT ")\n", | 954 | "frame (RA=" MAC_FMT |
941 | rx->dev->name, MAC_ARG(hdr->addr1), | 955 | " TA=" MAC_FMT " DA=" MAC_FMT |
942 | MAC_ARG(hdr->addr2), MAC_ARG(hdr->addr3), | 956 | " SA=" MAC_FMT ")\n", |
943 | MAC_ARG(hdr->addr4)); | 957 | rx->dev->name, |
958 | MAC_ARG(hdr->addr1), | ||
959 | MAC_ARG(hdr->addr2), | ||
960 | MAC_ARG(hdr->addr3), | ||
961 | MAC_ARG(hdr->addr4)); | ||
944 | return TXRX_DROP; | 962 | return TXRX_DROP; |
945 | } | 963 | } |
946 | break; | 964 | break; |
@@ -1015,15 +1033,16 @@ ieee80211_rx_h_data(struct ieee80211_txrx_data *rx) | |||
1015 | /* send multicast frames both to higher layers in | 1033 | /* send multicast frames both to higher layers in |
1016 | * local net stack and back to the wireless media */ | 1034 | * local net stack and back to the wireless media */ |
1017 | skb2 = skb_copy(skb, GFP_ATOMIC); | 1035 | skb2 = skb_copy(skb, GFP_ATOMIC); |
1018 | if (!skb2) | 1036 | if (!skb2 && net_ratelimit()) |
1019 | printk(KERN_DEBUG "%s: failed to clone " | 1037 | printk(KERN_DEBUG "%s: failed to clone " |
1020 | "multicast frame\n", dev->name); | 1038 | "multicast frame\n", dev->name); |
1021 | } else { | 1039 | } else { |
1022 | struct sta_info *dsta; | 1040 | struct sta_info *dsta; |
1023 | dsta = sta_info_get(local, skb->data); | 1041 | dsta = sta_info_get(local, skb->data); |
1024 | if (dsta && !dsta->dev) { | 1042 | if (dsta && !dsta->dev) { |
1025 | printk(KERN_DEBUG "Station with null dev " | 1043 | if (net_ratelimit()) |
1026 | "structure!\n"); | 1044 | printk(KERN_DEBUG "Station with null " |
1045 | "dev structure!\n"); | ||
1027 | } else if (dsta && dsta->dev == dev) { | 1046 | } else if (dsta && dsta->dev == dev) { |
1028 | /* Destination station is associated to this | 1047 | /* Destination station is associated to this |
1029 | * AP, so send the frame directly to it and | 1048 | * AP, so send the frame directly to it and |
@@ -1135,24 +1154,28 @@ static void ieee80211_rx_michael_mic_report(struct net_device *dev, | |||
1135 | 1154 | ||
1136 | /* TODO: verify that this is not triggered by fragmented | 1155 | /* TODO: verify that this is not triggered by fragmented |
1137 | * frames (hw does not verify MIC for them). */ | 1156 | * frames (hw does not verify MIC for them). */ |
1138 | printk(KERN_DEBUG "%s: TKIP hwaccel reported Michael MIC " | 1157 | if (net_ratelimit()) |
1139 | "failure from " MAC_FMT " to " MAC_FMT " keyidx=%d\n", | 1158 | printk(KERN_DEBUG "%s: TKIP hwaccel reported Michael MIC " |
1140 | dev->name, MAC_ARG(hdr->addr2), MAC_ARG(hdr->addr1), keyidx); | 1159 | "failure from " MAC_FMT " to " MAC_FMT " keyidx=%d\n", |
1160 | dev->name, MAC_ARG(hdr->addr2), MAC_ARG(hdr->addr1), | ||
1161 | keyidx); | ||
1141 | 1162 | ||
1142 | if (!sta) { | 1163 | if (!sta) { |
1143 | /* Some hardware versions seem to generate incorrect | 1164 | /* Some hardware versions seem to generate incorrect |
1144 | * Michael MIC reports; ignore them to avoid triggering | 1165 | * Michael MIC reports; ignore them to avoid triggering |
1145 | * countermeasures. */ | 1166 | * countermeasures. */ |
1146 | printk(KERN_DEBUG "%s: ignored spurious Michael MIC " | 1167 | if (net_ratelimit()) |
1147 | "error for unknown address " MAC_FMT "\n", | 1168 | printk(KERN_DEBUG "%s: ignored spurious Michael MIC " |
1148 | dev->name, MAC_ARG(hdr->addr2)); | 1169 | "error for unknown address " MAC_FMT "\n", |
1170 | dev->name, MAC_ARG(hdr->addr2)); | ||
1149 | goto ignore; | 1171 | goto ignore; |
1150 | } | 1172 | } |
1151 | 1173 | ||
1152 | if (!(rx->fc & IEEE80211_FCTL_PROTECTED)) { | 1174 | if (!(rx->fc & IEEE80211_FCTL_PROTECTED)) { |
1153 | printk(KERN_DEBUG "%s: ignored spurious Michael MIC " | 1175 | if (net_ratelimit()) |
1154 | "error for a frame with no ISWEP flag (src " | 1176 | printk(KERN_DEBUG "%s: ignored spurious Michael MIC " |
1155 | MAC_FMT ")\n", dev->name, MAC_ARG(hdr->addr2)); | 1177 | "error for a frame with no ISWEP flag (src " |
1178 | MAC_FMT ")\n", dev->name, MAC_ARG(hdr->addr2)); | ||
1156 | goto ignore; | 1179 | goto ignore; |
1157 | } | 1180 | } |
1158 | 1181 | ||
@@ -1164,9 +1187,11 @@ static void ieee80211_rx_michael_mic_report(struct net_device *dev, | |||
1164 | * for group keys and only the AP is sending real multicast | 1187 | * for group keys and only the AP is sending real multicast |
1165 | * frames in BSS. */ | 1188 | * frames in BSS. */ |
1166 | if (keyidx) { | 1189 | if (keyidx) { |
1167 | printk(KERN_DEBUG "%s: ignored Michael MIC error for " | 1190 | if (net_ratelimit()) |
1168 | "a frame with non-zero keyidx (%d) (src " MAC_FMT | 1191 | printk(KERN_DEBUG "%s: ignored Michael MIC " |
1169 | ")\n", dev->name, keyidx, MAC_ARG(hdr->addr2)); | 1192 | "error for a frame with non-zero keyidx" |
1193 | " (%d) (src " MAC_FMT ")\n", dev->name, | ||
1194 | keyidx, MAC_ARG(hdr->addr2)); | ||
1170 | goto ignore; | 1195 | goto ignore; |
1171 | } | 1196 | } |
1172 | } | 1197 | } |
@@ -1174,10 +1199,11 @@ static void ieee80211_rx_michael_mic_report(struct net_device *dev, | |||
1174 | if ((rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA && | 1199 | if ((rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA && |
1175 | ((rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_MGMT || | 1200 | ((rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_MGMT || |
1176 | (rx->fc & IEEE80211_FCTL_STYPE) != IEEE80211_STYPE_AUTH)) { | 1201 | (rx->fc & IEEE80211_FCTL_STYPE) != IEEE80211_STYPE_AUTH)) { |
1177 | printk(KERN_DEBUG "%s: ignored spurious Michael MIC " | 1202 | if (net_ratelimit()) |
1178 | "error for a frame that cannot be encrypted " | 1203 | printk(KERN_DEBUG "%s: ignored spurious Michael MIC " |
1179 | "(fc=0x%04x) (src " MAC_FMT ")\n", | 1204 | "error for a frame that cannot be encrypted " |
1180 | dev->name, rx->fc, MAC_ARG(hdr->addr2)); | 1205 | "(fc=0x%04x) (src " MAC_FMT ")\n", |
1206 | dev->name, rx->fc, MAC_ARG(hdr->addr2)); | ||
1181 | goto ignore; | 1207 | goto ignore; |
1182 | } | 1208 | } |
1183 | 1209 | ||