Bug 1434434
Summary: | wpa_supplicant is responding to packets which are not destined for it. | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Fani Orestiadou <forestia> | |
Component: | wpa_supplicant | Assignee: | Davide Caratti <dcaratti> | |
Status: | CLOSED ERRATA | QA Contact: | Ken Benoit <kbenoit> | |
Severity: | medium | Docs Contact: | Ioanna Gkioka <igkioka> | |
Priority: | medium | |||
Version: | 7.0 | CC: | aloughla, atragler, bgalvani, cww, dcaratti, dcbw, fkrska, forestia, igkioka, rkhan, sukulkar | |
Target Milestone: | rc | |||
Target Release: | 7.6 | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
*wpa_supplicant* no longer responds to packets whose destination address does not match the interface address
Previously, when *wpa_supplicant* was running on a Linux interface that was configured in `promiscuous` mode, incoming Extensible Authentication Protocol over LAN (EAPOL) packets were processed regardless of the destination address in the frame. However, *wpa_supplicant* checked the destination address only if the interface was enslaved to a bridge. As a consequence, in certain cases, *wpa_supplicant* was responding to EAPOL packets when the destination address was not the interface address. With this update, a socket filter has been added that allows the kernel to discard unicast EAPOL packets whose destination address does not match the interface address, and the described problem no longer occurs.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1582501 (view as bug list) | Environment: | ||
Last Closed: | 2018-10-30 09:48:39 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1477664, 1554861, 1582501 |
Description
Fani Orestiadou
2017-03-21 13:48:35 UTC
Used the reproducer supplied in comment 3 (with some fixes to the script and updated certs) and confirmed that tcpdump captured a packet ("vetha: CTRL-EVENT-EAP-STARTED EAP authentication started") when the reproducer was run against RHEL-7.5. Installed RHEL-7.6-20180823.n.0 on the system and reran the reproducer. tcpdump did not capture any packets on that run. Marking as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3107 |