| Index: ieee80211_input.c
| ===================================================================
| RCS file: /cvs/src/sys/net80211/ieee80211_input.c,v
| retrieving revision 1.116
| diff -u -p -r1.116 ieee80211_input.c
| --- ieee80211_input.c 7 Jun 2010 16:51:22 -0000 1.116
| +++ ieee80211_input.c 20 Feb 2011 19:51:24 -0000
| @@ -789,7 +789,7 @@ ieee80211_deliver_data(struct ieee80211c
| int error, len;
|
| if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
| - m1 = m_copym(m, 0, M_COPYALL, M_DONTWAIT);
| + m1 = m_copym2(m, 0, M_COPYALL, M_DONTWAIT);
| if (m1 == NULL)
| ifp->if_oerrors++;
| else
ok
| This one I'm not entirely sure about.
| But the code that receives the 3/4 message seems to expect an RSC for
| both the RSN and WPA cases. Also, this makes the code match up with
| how it's done in ieee80211_send_group_msg1().
| <sidebar>
| I spotted this one trying to hunt down a phantom bug with replay
| counter
| handling (which in fact seems to be fine).
| On the client side, netstat -W shows TKIP replays for every broadcast
| packet
| sent from the hostap to the station (both running -current).
| Is anyone else seeing this? There might be some driver/hardware
| problem with
| ath(4) that causes the AP to send duplicate frames. Or signal
| reflection
| issues? I tried with both wpi(4) and ral(4) cards on the client side.
| I've given up on trying to fix this, but the diff below felt worth
| keeping.
| </sidebar>
| Index: ieee80211_pae_output.c
| ===================================================================
| RCS file: /cvs/src/sys/net80211/ieee80211_pae_output.c,v
| retrieving revision 1.16
| diff -u -p -r1.16 ieee80211_pae_output.c
| --- ieee80211_pae_output.c 5 Jun 2010 15:54:35 -0000 1.16
| +++ ieee80211_pae_output.c 20 Feb 2011 17:55:51 -0000
| @@ -417,7 +417,6 @@ ieee80211_send_4way_msg3(struct ieee8021
| frm = ieee80211_add_rsn(frm, ic, ic->ic_bss);
| /* encapsulate the GTK */
| frm = ieee80211_add_gtk_kde(frm, ni, k);
| - LE_WRITE_6(key->rsc, k->k_tsc);
| /* encapsulate the IGTK if MFP was negotiated */
| if (ni->ni_flags & IEEE80211_NODE_MFP) {
| frm = ieee80211_add_igtk_kde(frm,
| @@ -427,6 +426,9 @@ ieee80211_send_4way_msg3(struct ieee8021
| info |= EAPOL_KEY_ENCRYPTED | EAPOL_KEY_SECURE;
| } else /* WPA */
| frm = ieee80211_add_wpa(frm, ic, ic->ic_bss);
| +
| + /* RSC = last transmit sequence number for the GTK */
| + LE_WRITE_6(key->rsc, k->k_tsc);
|
| /* write the key info field */
| BE_WRITE_2(key->info, info);
nack. you'll get a null deref with wpa1 (k is not initialized).
with wpa1, message 3/4 of the 4-way handshake does not carry the
group key (it is sent in message 1/2 of the group key handshake
that follows the 4-way handshake instead).
the TSC of the pairwise key is always 0 in our case, which is
the reason why it is not set here, but used when receiving
msg 3/4 since other implementations may use non-zero values.
| This last one is pretty obvious.
| ieee80211_alloc_node() does the same increment already, so the stats
| about node allocation failures are wrong.
| Index: ieee80211_proto.c
| ===================================================================
| RCS file: /cvs/src/sys/net80211/ieee80211_proto.c,v
| retrieving revision 1.44
| diff -u -p -r1.44 ieee80211_proto.c
| --- ieee80211_proto.c 7 Aug 2010 03:50:02 -0000 1.44
| +++ ieee80211_proto.c 6 Feb 2011 15:14:42 -0000
| @@ -704,7 +704,6 @@ ieee80211_auth_open(struct ieee80211com
| if (ni == ic->ic_bss) {
| ni = ieee80211_alloc_node(ic, wh->i_addr2);
| if (ni == NULL) {
| - ic->ic_stats.is_rx_nodealloc++;
| return;
| }
| IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_bss->ni_bssid);
ok.
Damien
