Date: Thu, 27 Oct 2011 10:45:24 +0800 From: Adrian Chadd <adrian@freebsd.org> To: Bernhard Schmidt <bschmidt@freebsd.org> Cc: freebsd-wireless@freebsd.org Subject: Re: [patch] net80211: reject STA frames not destined to the current STA VAP MAC address Message-ID: <CAJ-Vmo=jYt4zddQyKw85Gxi-TFB8ETjQYFjQTTEjuWvdXmC97Q@mail.gmail.com> In-Reply-To: <201110262123.55543.bschmidt@freebsd.org> References: <CAJ-Vmo=CZ-c0QN_qoXQa4gyo5MyxL=DUzy6nXkX27HEDr17iqA@mail.gmail.com> <201110262123.55543.bschmidt@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 27 October 2011 03:23, Bernhard Schmidt <bschmidt@freebsd.org> wrote: > I doubt this is necessary. Receiving frames with DST != vap->iv_myaddr > works just fine with iwn(4) and WPA. But it does, and it does mess up the crypto IV tracking. I added debugging to net80211 to track what happens: * a frame that doesn't match the station destination address comes in; * it doesn't have a crypto key, and it doesn't match any mac address; * so it's sent to all VAPs via ieee80211_input_all(); * somehow it ends up updating the crypto state for the BSS, setting the IV to what was in the destination address, as well as the sequence number; * subsequent frames (to the real station destination) are now dropped because the replay attack code and/or the sequence number tracking code drops the frame. I traced it down to the driver handing off the net80211 STA code a frame whose destination is not the STA and is an AP->STA frame. Adrian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ-Vmo=jYt4zddQyKw85Gxi-TFB8ETjQYFjQTTEjuWvdXmC97Q>