On Fri, Sep 16, 2011 at 16:03, Johannes Berg <johannes@xxxxxxxxxxxxxxxx> wrote:
> On Thu, 2011-09-15 at 13:25 +0300, Arik Nemtsov wrote:
>> case NL80211_IFTYPE_STATION:
>> - memcpy(hdr.addr1, sdata->u.mgd.bssid, ETH_ALEN);
>> - if (sdata->u.mgd.use_4addr &&
>> - cpu_to_be16(ethertype) != sdata->control_port_protocol) {
>> - fc |= cpu_to_le16(IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS);
>> + if (local->hw.flags & IEEE80211_HW_SUPPORTS_TDLS) {
>> + rcu_read_lock();
>> + sta = sta_info_get(sdata, skb->data);
>> + tdls_link = (sta && sta->tdls_link_enabled);
>
> Why don't you test WLAN_STA_TDLS_PEER and add the station only when the
> session is set up?
>
> That would avoid the problem here when setting up the session.
Will do (like I wrote in a previous email). Thanks.
>
>> --- a/net/wireless/util.c
>> +++ b/net/wireless/util.c
>> @@ -392,8 +392,9 @@ int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
>> }
>> break;
>> case cpu_to_le16(0):
>> - if (iftype != NL80211_IFTYPE_ADHOC)
>> - return -1;
>> + if (iftype != NL80211_IFTYPE_ADHOC &&
>> + iftype != NL80211_IFTYPE_STATION)
>> + return -1;
>> break;
>> }
>>
>
> It seems there needs to be a check somewhere that this packet was
> received from a TDLS peer? OTOH, if somebody is spoofing it crypto will
> reject it or you're vulnerable anyway...
My thoughts exactly. It's not like a rouge STA can't fake the
frame_control and bssid fields..
I didn't want to encumber the Rx path with redundant checks.
Arik
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
