On Thu, Jul 16, 2020 at 11:10:58AM +0200, Stefan Sperling wrote:
> Line 1927 of 
> https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net80211/ieee80211_input.c?annotate=1.218
> 
> This code runs before a response is generated for a probe request and it
> should ensure that a probe request is only generated if the SSID matches.
> 
> The next step would be to find out how this check is being bypassed in
> your case.

Nevermind, I have found the problem.

I moved the HIDENWID flag to a different variable some time ago:
[[[
    CVSROOT:    /cvs
    Module name:        src
    Changes by: s...@cvs.openbsd.org    2019/05/12 12:12:38
    
    Modified files:
        sbin/ifconfig  : ifconfig.8 
        sys/dev/ic     : if_wi.c 
        sys/net80211   : ieee80211_input.c ieee80211_ioctl.c 
                         ieee80211_ioctl.h ieee80211_output.c 
                         ieee80211_var.h 
    
    Log message:
    Fix 'ifconfig nwflags; These flags ended up overlapping with other flags
    in ieee80211com's ic_flags because we haven't been paying attention to
    them (they're not in the same place in the code and hence easy to miss).
    Move them to a dedicated variable to avoid this problem in the future.
    
    Add a new 'stayauth' nwflag which can be set to let net80211 ignore
    deauth frames. This can be useful when deauth frames are being
    persistently spoofed by an attacker. Idea from beck@
    
    ok beck@ phessler@
]]]

There is some use of the HIDENWID flag which I missed in this conversion.
This patch should fix it.

diff b38ea36846c22ecbc2e7394f8dcf015e2b6a523f /usr/src
blob - 8942bc3b47923fe0d78a4435b181777069b2a119
file + sys/dev/ic/bwfm.c
--- sys/dev/ic/bwfm.c
+++ sys/dev/ic/bwfm.c
@@ -1959,7 +1959,7 @@ bwfm_hostap(struct bwfm_softc *sc)
        memset(join.assoc.bssid, 0xff, sizeof(join.assoc.bssid));
        bwfm_fwvar_cmd_set_data(sc, BWFM_C_SET_SSID, &join, sizeof(join));
        bwfm_fwvar_var_set_int(sc, "closednet",
-           (ic->ic_flags & IEEE80211_F_HIDENWID) != 0);
+           (ic->ic_userflags & IEEE80211_F_HIDENWID) != 0);
 }
 #endif
 
blob - 0cea2f80840c2b7bdbbf2dd7de3d83e3beabc7fa
file + sys/dev/ic/rt2560.c
--- sys/dev/ic/rt2560.c
+++ sys/dev/ic/rt2560.c
@@ -1588,7 +1588,7 @@ rt2560_tx_bcn(struct rt2560_softc *sc, struct mbuf *m0
                    mtod(m0, uint8_t *) +
                    sizeof (struct ieee80211_frame) +
                    8 + 2 + 2 +
-                   ((ic->ic_flags & IEEE80211_F_HIDENWID) ?
+                   ((ic->ic_userflags & IEEE80211_F_HIDENWID) ?
                        1 : 2 + ni->ni_esslen) +
                    2 + min(ni->ni_rates.rs_nrates, IEEE80211_RATE_SIZE) +
                    2 + 1 +
blob - 7170cb0085cbb2f47ff2d02d204f5706f4eb22a2
file + sys/dev/ic/rt2661.c
--- sys/dev/ic/rt2661.c
+++ sys/dev/ic/rt2661.c
@@ -2935,7 +2935,7 @@ rt2661_prepare_beacon(struct rt2661_softc *sc)
                    RT2661_HW_BEACON_BASE0 + 24 +
                    sizeof (struct ieee80211_frame) +
                    8 + 2 + 2 +
-                   ((ic->ic_flags & IEEE80211_F_HIDENWID) ?
+                   ((ic->ic_userflags & IEEE80211_F_HIDENWID) ?
                        1 : 2 + ni->ni_esslen) +
                    2 + min(ni->ni_rates.rs_nrates, IEEE80211_RATE_SIZE) +
                    2 + 1 +
blob - 098aa9bce19481ce09676ce3c4fc0040f14c9b93
file + sys/net80211/ieee80211_input.c
--- sys/net80211/ieee80211_input.c
+++ sys/net80211/ieee80211_input.c
@@ -1937,7 +1937,7 @@ ieee80211_recv_probe_req(struct ieee80211com *ic, stru
                return;
        }
        /* refuse wildcard SSID if we're hiding our SSID in beacons */
-       if (ssid[1] == 0 && (ic->ic_flags & IEEE80211_F_HIDENWID)) {
+       if (ssid[1] == 0 && (ic->ic_userflags & IEEE80211_F_HIDENWID)) {
                DPRINTF(("wildcard SSID rejected"));
                ic->ic_stats.is_rx_ssidmismatch++;
                return;


Reply via email to