From owner-svn-src-head@FreeBSD.ORG Tue Nov 8 14:28:33 2011 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C061A106564A; Tue, 8 Nov 2011 14:28:33 +0000 (UTC) (envelope-from adrian@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 9749D8FC1E; Tue, 8 Nov 2011 14:28:33 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id pA8ESXgc035178; Tue, 8 Nov 2011 14:28:33 GMT (envelope-from adrian@svn.freebsd.org) Received: (from adrian@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id pA8ESXBK035176; Tue, 8 Nov 2011 14:28:33 GMT (envelope-from adrian@svn.freebsd.org) Message-Id: <201111081428.pA8ESXBK035176@svn.freebsd.org> From: Adrian Chadd Date: Tue, 8 Nov 2011 14:28:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r227338 - head/sys/net80211 X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2011 14:28:33 -0000 Author: adrian Date: Tue Nov 8 14:28:33 2011 New Revision: 227338 URL: http://svn.freebsd.org/changeset/base/227338 Log: Reject frames in STA mode which are not destined to the local STA address. Some hardware (eg the AR9160 in STA mode) seems to "leak" unicast FROMDS frames which aren't destined to itself. This angers the net80211 stack - the existing code would fail to find an address in the node table and try passing the frame up to each vap BSS. It would then be accepted in the input routine and its contents would update the local crypto and sequence number state. If the sequence number / crypto IV replay counters from the leaked frame were greater than the "real" state, subsequent "real" frames would be rejected due to out of sequence / IV replay conditions. This is also likely helpful if/when multi-STA modes are added to net80211. Sponsored by: Hobnob, Inc. Modified: head/sys/net80211/ieee80211_sta.c Modified: head/sys/net80211/ieee80211_sta.c ============================================================================== --- head/sys/net80211/ieee80211_sta.c Tue Nov 8 14:24:33 2011 (r227337) +++ head/sys/net80211/ieee80211_sta.c Tue Nov 8 14:28:33 2011 (r227338) @@ -584,6 +584,30 @@ sta_input(struct ieee80211_node *ni, str vap->iv_stats.is_rx_wrongbss++; goto out; } + + /* + * Some devices may be in a promiscuous mode + * where they receive frames for multiple station + * addresses. + * + * If we receive a data frame that isn't + * destined to our VAP MAC, drop it. + * + * XXX TODO: This is only enforced when not scanning; + * XXX it assumes a software-driven scan will put the NIC + * XXX into a "no data frames" mode before setting this + * XXX flag. Otherwise it may be possible that we'll still + * XXX process data frames whilst scanning. + */ + if ((! IEEE80211_IS_MULTICAST(wh->i_addr1)) + && (! IEEE80211_ADDR_EQ(wh->i_addr1, IF_LLADDR(ifp)))) { + IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, + bssid, NULL, "not to cur sta: lladdr=%6D, addr1=%6D", + IF_LLADDR(ifp), ":", wh->i_addr1, ":"); + vap->iv_stats.is_rx_wrongbss++; + goto out; + } + IEEE80211_RSSI_LPF(ni->ni_avgrssi, rssi); ni->ni_noise = nf; if (HAS_SEQ(type) && !IEEE80211_IS_MULTICAST(wh->i_addr1)) {