The sequence number of injected frames is being overwritten by the function ieee80211_tx_h_sequence when the following two conditions are met: 1. The frame is injected on a virtual interface, and a second virtual interface on this device is operating in managed/AP/.. mode. 2. The sender MAC address of the injected frame matches the MAC address of the second interface operating in managed/AP/.. mode. In some cases this may be desired, for instance when hostap is configured to send certain frames using a monitor interface, in which case the user-space will not assign a sequence number and instead injects frames with a sequence number of zero. However, in case the user-space does assign a non-zero sequence number, this number should not be overwritten by the kernel. This patch adds a check to see if injected frames have already been assigned a non-zero sequence number, and if so, this sequence number will not be overwritten by the kernel. Signed-off-by: Mathy Vanhoef <mathy.vanhoef@xxxxxxx> --- net/mac80211/tx.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index 1a2941e52..8bb8c548c 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -808,11 +808,14 @@ ieee80211_tx_h_sequence(struct ieee80211_tx_data *tx) int tid; /* - * Packet injection may want to control the sequence - * number, if we have no matching interface then we - * neither assign one ourselves nor ask the driver to. + * Packet injection may want to control the sequence number. + * Do not assign one ourselves, and do not ask the driver to, + * if there is no matching interface or if the injected frame + * was already assigned a non-zero sequence number. */ - if (unlikely(info->control.vif->type == NL80211_IFTYPE_MONITOR)) + if (unlikely(info->control.vif->type == NL80211_IFTYPE_MONITOR || + (info->flags & IEEE80211_TX_CTL_INJECTED != 0 && + hdr->seq_ctrl != 0))) return TX_CONTINUE; if (unlikely(ieee80211_is_ctl(hdr->frame_control))) -- 2.20.1
