On Wed, Nov 17, 2021 at 07:53:44PM +0100, Stefan Sperling wrote: > I don't see where and how this could happen, but this seems to be where > this bug is hiding. Multicast frames are also never encrypted, so they > would never even trigger any attempt to use a key.
Sorry, I was not making much sense here because I confused management with broadcast/multicast frames in my mind. We do not encrypt management frames, but multicast frames will be encrypted with a group key. So the use of encryption in this interrupt handler is legit. The group key should be from one of the two addresses you've identified, and the bogus key address you've seen is something else. I wonder if this bogus address corresponds to &ic->ic_bss->ni_pairwise_key or &ni->ni_pairwise_key of some associated client?
