> > Yeah, true, and we actually have that in another place too. If we then > > remove the MMIE, the IE sanity checks should catch the bad frame anyway, > > when/if it is parsed. Except we removed those because APs were sending > > bogus information. I'm fine with this, but we should be aware of the > > consequence. > > As long as we get the RX path implemented properly, this will only hit > if there is a bug in an MFP-enabled AP or someone is trying to attack > the network and both cases are very good candidates for dropping the > frame anyway. The key selection is supposed to pick BIP key only if the > sender (AP) has negotiated MFP and as such, all valid broadcast robust > management frames are guaranteed to have MMIE in the end. True. I was more thinking of somebody intentionally doing it in the AP to implement "802.11w in vendor IEs" or something like that but I guess that's unlikely to happen. And yeah, an attack won't work anyway since those frames would be rejected based on the wrong MIC. johannes
Attachment:
signature.asc
Description: This is a digitally signed message part
