[patch] net80211: reject STA frames not destined to the current
STA VAP MAC address
Bernhard Schmidt
bschmidt at freebsd.org
Thu Oct 27 13:02:14 UTC 2011
On Thursday 27 October 2011 04:45:24 Adrian Chadd wrote:
> On 27 October 2011 03:23, Bernhard Schmidt <bschmidt at freebsd.org> wrote:
>
> > I doubt this is necessary. Receiving frames with DST != vap->iv_myaddr
> > works just fine with iwn(4) and WPA.
>
> But it does, and it does mess up the crypto IV tracking. I added
> debugging to net80211 to track what happens:
>
> * a frame that doesn't match the station destination address comes in;
> * it doesn't have a crypto key, and it doesn't match any mac address;
> * so it's sent to all VAPs via ieee80211_input_all();
> * somehow it ends up updating the crypto state for the BSS, setting
> the IV to what was in the destination address, as well as the sequence
> number;
> * subsequent frames (to the real station destination) are now dropped
> because the replay attack code and/or the sequence number tracking
> code drops the frame.
>
> I traced it down to the driver handing off the net80211 STA code a
> frame whose destination is not the STA and is an AP->STA frame.
Allright, the important part here seems to be that the seqnos have to
be in a certain order to even remotely trigger an issue. Otherwise
the frames are just discarded as either out of order or because of
replay detection. I'd still add its own counter though, how about
that?
--
Bernhard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: net80211_wrongdst.diff
Type: text/x-patch
Size: 1328 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-wireless/attachments/20111027/b3ab024f/net80211_wrongdst.bin
More information about the freebsd-wireless
mailing list