On Thu, 2011-09-15 at 13:25 +0300, Arik Nemtsov wrote:
> --- a/net/mac80211/tx.c
> +++ b/net/mac80211/tx.c
> @@ -1725,6 +1725,7 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
> struct sta_info *sta = NULL;
> u32 sta_flags = 0;
> struct sk_buff *tmp_skb;
> + bool tdls_link = false;
>
> if (unlikely(skb->len < ETH_HLEN)) {
> ret = NETDEV_TX_OK;
> @@ -1836,11 +1837,25 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
> break;
> #endif
> case NL80211_IFTYPE_STATION:
> - memcpy(hdr.addr1, sdata->u.mgd.bssid, ETH_ALEN);
> - if (sdata->u.mgd.use_4addr &&
> - cpu_to_be16(ethertype) != sdata->control_port_protocol) {
> - fc |= cpu_to_le16(IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS);
> + if (local->hw.flags & IEEE80211_HW_SUPPORTS_TDLS) {
> + rcu_read_lock();
> + sta = sta_info_get(sdata, skb->data);
> + tdls_link = (sta && sta->tdls_link_enabled);
Why don't you test WLAN_STA_TDLS_PEER and add the station only when the
session is set up?
That would avoid the problem here when setting up the session.
> --- a/net/wireless/util.c
> +++ b/net/wireless/util.c
> @@ -392,8 +392,9 @@ int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
> }
> break;
> case cpu_to_le16(0):
> - if (iftype != NL80211_IFTYPE_ADHOC)
> - return -1;
> + if (iftype != NL80211_IFTYPE_ADHOC &&
> + iftype != NL80211_IFTYPE_STATION)
> + return -1;
> break;
> }
>
It seems there needs to be a check somewhere that this packet was
received from a TDLS peer? OTOH, if somebody is spoofing it crypto will
reject it or you're vulnerable anyway...
johannes
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
