[PATCH] mac80211: match only assigned bss in sta_info_get_bss

[PATCH] mac80211: match only assigned bss in sta_info_get_bss

[Johannes Berg]

From: Johannes Berg <johannes.berg@intel.com>

sta_info_get_bss() is used to match STA pointers
for VLAN/AP interfaces, but if the same station
is also added to multiple other interfaces it
will erroneously match because both pointers are
NULL, fix this by ignoring NULL pointers here.

Reported-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/mac80211/sta_info.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- wireless-testing.orig/net/mac80211/sta_info.c	2010-09-14 21:31:06.000000000 +0200
+++ wireless-testing/net/mac80211/sta_info.c	2010-09-14 21:31:24.000000000 +0200
@@ -125,7 +125,7 @@ struct sta_info *sta_info_get_bss(struct
 				    lockdep_is_held(&local->sta_mtx));
 	while (sta) {
 		if ((sta->sdata == sdata ||
-		     sta->sdata->bss == sdata->bss) &&
+		     (sta->sdata->bss && sta->sdata->bss == sdata->bss)) &&
 		    memcmp(sta->sta.addr, addr, ETH_ALEN) == 0)
 			break;
 		sta = rcu_dereference_check(sta->hnext,

Re: [PATCH] mac80211: match only assigned bss in sta_info_get_bss

[Jouni Malinen]

On Tue, Sep 14, 2010 at 09:34:14PM +0200, Johannes Berg wrote:
> sta_info_get_bss() is used to match STA pointers
> for VLAN/AP interfaces, but if the same station
> is also added to multiple other interfaces it
> will erroneously match because both pointers are
> NULL, fix this by ignoring NULL pointers here.

> @@ -125,7 +125,7 @@ struct sta_info *sta_info_get_bss(struct
>  				    lockdep_is_held(&local->sta_mtx));
>  	while (sta) {
>  		if ((sta->sdata == sdata ||
> -		     sta->sdata->bss == sdata->bss) &&
> +		     (sta->sdata->bss && sta->sdata->bss == sdata->bss)) &&

This (commit a2c1e3dad516618cb0fbfb1a62c36d0b0744573a) seems to cause
some changes that may not have been intended.. I'm not sure whether to
call them all regressions, but it does break my 802.11w test setup.. ;-)

With this change in place, robust management frames injected on a cooked
monitor interface do not get protected by mac80211 in station mode
(i.e., PMF in use on wlan0 and PTK in place; use mon0 to inject a
frame) while they used to get protected before this change. Reverting
this on top of wireless-testing.git now gets the old behavior back, too.
I have not verified whether this applies to other uses of cooked monitor
(e.g., Data frames or AP mode where Shared Key auth actually expects
injected frame to get protected in normal, non-testing-only use case).

Is this a bug? Or do I need to figure out another way of getting the
frames injected on a monitor interface encrypted by mac80211?

-- 
Jouni Malinen                                            PGP id EFC895FA

Re: [PATCH] mac80211: match only assigned bss in sta_info_get_bss

[Johannes Berg]

On Mon, 15 Nov 2010 22:30:48 +0200, Jouni Malinen <j@w1.fi> wrote:
> This (commit a2c1e3dad516618cb0fbfb1a62c36d0b0744573a) seems to cause
> some changes that may not have been intended.. I'm not sure whether to
> call them all regressions, but it does break my 802.11w test setup.. ;-)
> 
> With this change in place, robust management frames injected on a cooked
> monitor interface do not get protected by mac80211 in station mode
> (i.e., PMF in use on wlan0 and PTK in place; use mon0 to inject a
> frame) while they used to get protected before this change. Reverting
> this on top of wireless-testing.git now gets the old behavior back, too.
> I have not verified whether this applies to other uses of cooked monitor
> (e.g., Data frames or AP mode where Shared Key auth actually expects
> injected frame to get protected in normal, non-testing-only use case).
> 
> Is this a bug? Or do I need to figure out another way of getting the
> frames injected on a monitor interface encrypted by mac80211?

It's a bug. I suspect we set up the sta pointer first, and then the
sdata pointer (when injecting) where if we do it the other way around
it should work fine.

johannes