| Index: ieee80211_input.c | =================================================================== | RCS file: /cvs/src/sys/net80211/ieee80211_input.c,v | retrieving revision 1.116 | diff -u -p -r1.116 ieee80211_input.c | --- ieee80211_input.c 7 Jun 2010 16:51:22 -0000 1.116 | +++ ieee80211_input.c 20 Feb 2011 19:51:24 -0000 | @@ -789,7 +789,7 @@ ieee80211_deliver_data(struct ieee80211c | int error, len; | | if (ETHER_IS_MULTICAST(eh->ether_dhost)) { | - m1 = m_copym(m, 0, M_COPYALL, M_DONTWAIT); | + m1 = m_copym2(m, 0, M_COPYALL, M_DONTWAIT); | if (m1 == NULL) | ifp->if_oerrors++; | else
ok | This one I'm not entirely sure about. | But the code that receives the 3/4 message seems to expect an RSC for | both the RSN and WPA cases. Also, this makes the code match up with | how it's done in ieee80211_send_group_msg1(). | <sidebar> | I spotted this one trying to hunt down a phantom bug with replay | counter | handling (which in fact seems to be fine). | On the client side, netstat -W shows TKIP replays for every broadcast | packet | sent from the hostap to the station (both running -current). | Is anyone else seeing this? There might be some driver/hardware | problem with | ath(4) that causes the AP to send duplicate frames. Or signal | reflection | issues? I tried with both wpi(4) and ral(4) cards on the client side. | I've given up on trying to fix this, but the diff below felt worth | keeping. | </sidebar> | Index: ieee80211_pae_output.c | =================================================================== | RCS file: /cvs/src/sys/net80211/ieee80211_pae_output.c,v | retrieving revision 1.16 | diff -u -p -r1.16 ieee80211_pae_output.c | --- ieee80211_pae_output.c 5 Jun 2010 15:54:35 -0000 1.16 | +++ ieee80211_pae_output.c 20 Feb 2011 17:55:51 -0000 | @@ -417,7 +417,6 @@ ieee80211_send_4way_msg3(struct ieee8021 | frm = ieee80211_add_rsn(frm, ic, ic->ic_bss); | /* encapsulate the GTK */ | frm = ieee80211_add_gtk_kde(frm, ni, k); | - LE_WRITE_6(key->rsc, k->k_tsc); | /* encapsulate the IGTK if MFP was negotiated */ | if (ni->ni_flags & IEEE80211_NODE_MFP) { | frm = ieee80211_add_igtk_kde(frm, | @@ -427,6 +426,9 @@ ieee80211_send_4way_msg3(struct ieee8021 | info |= EAPOL_KEY_ENCRYPTED | EAPOL_KEY_SECURE; | } else /* WPA */ | frm = ieee80211_add_wpa(frm, ic, ic->ic_bss); | + | + /* RSC = last transmit sequence number for the GTK */ | + LE_WRITE_6(key->rsc, k->k_tsc); | | /* write the key info field */ | BE_WRITE_2(key->info, info); nack. you'll get a null deref with wpa1 (k is not initialized). with wpa1, message 3/4 of the 4-way handshake does not carry the group key (it is sent in message 1/2 of the group key handshake that follows the 4-way handshake instead). the TSC of the pairwise key is always 0 in our case, which is the reason why it is not set here, but used when receiving msg 3/4 since other implementations may use non-zero values. | This last one is pretty obvious. | ieee80211_alloc_node() does the same increment already, so the stats | about node allocation failures are wrong. | Index: ieee80211_proto.c | =================================================================== | RCS file: /cvs/src/sys/net80211/ieee80211_proto.c,v | retrieving revision 1.44 | diff -u -p -r1.44 ieee80211_proto.c | --- ieee80211_proto.c 7 Aug 2010 03:50:02 -0000 1.44 | +++ ieee80211_proto.c 6 Feb 2011 15:14:42 -0000 | @@ -704,7 +704,6 @@ ieee80211_auth_open(struct ieee80211com | if (ni == ic->ic_bss) { | ni = ieee80211_alloc_node(ic, wh->i_addr2); | if (ni == NULL) { | - ic->ic_stats.is_rx_nodealloc++; | return; | } | IEEE80211_ADDR_COPY(ni->ni_bssid, ic->ic_bss->ni_bssid); ok. Damien