On Sun, Mar 06, 2016 at 08:23:01PM +0000, Nick Lowe wrote: > Requiring a match against all the session identifying attributes > supplied would be fine and, of course, an order of precedence would be > not applicable and meaningless at this point. > That would be stricter that what the that patch I submitted does. > > Currently hostapd implements faulty logic such that any session > identifying attribute that matches is acceptable. > Herein lies the fault in the implementation. Could you please be more specific here? The current implementation matches all the session identifying attributes and requires all of them to match. > In the case that more than one session is matched, hostapd currently > elects to do nothing. Does nothing is somewhat inaccurate. hostapd rejects the request in such a case with Error-Cause 508 (Multiple Session Selection Unsupported). > If this was changed in the future to permit more than one session to > be matched, this could result in unexpected sessions being changed or > disconnected. What would be unexpected? DAC better know what it is doing and if it does not use specific enough attributes, it'll get what it asks for.. > At present, this may result in expected sessions not being changed or > disconnected due to multiple sessions being matched. Only if DAC specified overly flexible identifying attributes. Or do you have a specific example of attributes where more than a single match were to be expected? > Where the User-Name is being sent as a session identifying attribute > alongside others, this can be manipulated for to cause deliberate > malfunction of CoA-Request and Disconnect-Request by stations. How would User-Name alongside others do anything here if the other attributes are specific enough to find a single match? Even if that User-Name were to match multiple sessions, only the one also matching the other, more specific, attributes would be identified. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap