> We actually cover (2) for some cases by "accident" since
> ieee80211_rx_h_decrypt() assigns rx->key to rx->sta->gtk[i] if one is
> available. I'm not completely sure this is correct since it applies
> to management frame as well, but that's the way commit
> 897bed8b4320774e56f282cdc1cceb4d77442797 ('mac80211: clean up RX key
> checks') implemented it (Johannes: Could you please take a look
> whether that gtk[] case was really supposed to apply for non-Data
> frames?).
>
Hm, yeah, that's kinda questionable.
AFAICT we still do the right thing sinceĀ ieee80211_drop_unencrypted()
contains a check forĀ ieee80211_is_data() and we return in this if
branch, so we never get to the TAINTED check or the actual decrypt.
We could try to just drop unencrypted data frames (that aren't control
port protocol) right here, but it might wreak havoc with the reorder
buffer in case it (erroneously) happens.
johannes
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
