From owner-freebsd-wireless@FreeBSD.ORG Thu Oct 27 02:45:25 2011 Return-Path: Delivered-To: freebsd-wireless@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D760106566C; Thu, 27 Oct 2011 02:45:25 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id DF41F8FC0A; Thu, 27 Oct 2011 02:45:24 +0000 (UTC) Received: by vws11 with SMTP id 11so3085338vws.13 for ; Wed, 26 Oct 2011 19:45:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=zrTFA/xcA+1GC5YIpb9K+ViL6qNZ/qKO60Te1sTZ1uk=; b=jMD4gBiYNBrf5cZZGApz3UK/ECPBQraBZha9ZhZzWhTYjShlVFUzsKCxiwx7gRzUJI jOrIPzSqLkKgFpRrJTptsUeL6OXCMxWomHxfD4kqeJhHfeq7o7f5SOsrPYAr+iCdxB+K qhleL8g8mE9B7Sn/MYDe/iyBErULm6Rwm3ffA= MIME-Version: 1.0 Received: by 10.52.37.167 with SMTP id z7mr466254vdj.112.1319683524072; Wed, 26 Oct 2011 19:45:24 -0700 (PDT) Sender: adrian.chadd@gmail.com Received: by 10.52.176.1 with HTTP; Wed, 26 Oct 2011 19:45:24 -0700 (PDT) In-Reply-To: <201110262123.55543.bschmidt@freebsd.org> References: <201110262123.55543.bschmidt@freebsd.org> Date: Thu, 27 Oct 2011 10:45:24 +0800 X-Google-Sender-Auth: 1XRRH5ibmCiGzn0MQPo17eGlfwE Message-ID: From: Adrian Chadd To: Bernhard Schmidt Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-wireless@freebsd.org Subject: Re: [patch] net80211: reject STA frames not destined to the current STA VAP MAC address X-BeenThere: freebsd-wireless@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussions of 802.11 stack, tools device driver development." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2011 02:45:25 -0000 On 27 October 2011 03:23, Bernhard Schmidt wrote: > I doubt this is necessary. Receiving frames with DST != vap->iv_myaddr > works just fine with iwn(4) and WPA. But it does, and it does mess up the crypto IV tracking. I added debugging to net80211 to track what happens: * a frame that doesn't match the station destination address comes in; * it doesn't have a crypto key, and it doesn't match any mac address; * so it's sent to all VAPs via ieee80211_input_all(); * somehow it ends up updating the crypto state for the BSS, setting the IV to what was in the destination address, as well as the sequence number; * subsequent frames (to the real station destination) are now dropped because the replay attack code and/or the sequence number tracking code drops the frame. I traced it down to the driver handing off the net80211 STA code a frame whose destination is not the STA and is an AP->STA frame. Adrian