[patch] net80211: reject STA frames not destined to the current
STA VAP MAC address
Adrian Chadd
adrian at freebsd.org
Thu Oct 27 02:45:25 UTC 2011
On 27 October 2011 03:23, Bernhard Schmidt <bschmidt at freebsd.org> wrote:
> I doubt this is necessary. Receiving frames with DST != vap->iv_myaddr
> works just fine with iwn(4) and WPA.
But it does, and it does mess up the crypto IV tracking. I added
debugging to net80211 to track what happens:
* a frame that doesn't match the station destination address comes in;
* it doesn't have a crypto key, and it doesn't match any mac address;
* so it's sent to all VAPs via ieee80211_input_all();
* somehow it ends up updating the crypto state for the BSS, setting
the IV to what was in the destination address, as well as the sequence
number;
* subsequent frames (to the real station destination) are now dropped
because the replay attack code and/or the sequence number tracking
code drops the frame.
I traced it down to the driver handing off the net80211 STA code a
frame whose destination is not the STA and is an AP->STA frame.
Adrian
More information about the freebsd-wireless
mailing list