| Message ID | 1380875428-20899-1-git-send-email-michal.kazior@tieto.com (mailing list archive) |
|---|---|
| State | Not Applicable, archived |
| Headers | show |
Michal Kazior <michal.kazior@tieto.com> writes: > Peer authorization should be delayed until > mac80211 says given station has transitioned into > authorized state. > > The state is propagated from mac80211 for both > open and protected networks. > > This should prevent data traffic to/from given > station until authorization completes. Until now > it was probably possible for unauthorized traffic > to pass leading to possible security issues. > > Signed-off-by: Michal Kazior <michal.kazior@tieto.com> Thanks, applied.
Kalle Valo <kvalo@qca.qualcomm.com> writes: > Michal Kazior <michal.kazior@tieto.com> writes: > >> Peer authorization should be delayed until >> mac80211 says given station has transitioned into >> authorized state. >> >> The state is propagated from mac80211 for both >> open and protected networks. >> >> This should prevent data traffic to/from given >> station until authorization completes. Until now >> it was probably possible for unauthorized traffic >> to pass leading to possible security issues. >> >> Signed-off-by: Michal Kazior <michal.kazior@tieto.com> > > Thanks, applied. Actually I'll take this back. After this patch even ping doesn't work with D-Link DIR-865L as AP using 10.1.389 firmware. So I have to drop this patch.
diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c index 8684e03..0175d22 100644 --- a/drivers/net/wireless/ath/ath10k/mac.c +++ b/drivers/net/wireless/ath/ath10k/mac.c @@ -781,7 +781,6 @@ static void ath10k_peer_assoc_h_basic(struct ath10k *ar, memcpy(arg->addr, sta->addr, ETH_ALEN); arg->vdev_id = arvif->vdev_id; arg->peer_aid = sta->aid; - arg->peer_flags |= WMI_PEER_AUTH; if (arvif->vdev_type == WMI_VDEV_TYPE_STA) /* @@ -2603,6 +2602,32 @@ static int ath10k_sta_state(struct ieee80211_hw *hw, if (ret) ath10k_warn("Failed to disassociate station: %pM\n", sta->addr); + } else if (old_state == IEEE80211_STA_ASSOC && + new_state == IEEE80211_STA_AUTHORIZED) { + /* + * Authorization + */ + ath10k_dbg(ATH10K_DBG_MAC, "mac sta %pM authorized\n", + sta->addr); + + ret = ath10k_wmi_peer_set_param(ar, arvif->vdev_id, sta->addr, + WMI_PEER_AUTHORIZE, 1); + if (ret) + ath10k_warn("Failed to authorize station: %pM\n", + sta->addr); + } else if (old_state == IEEE80211_STA_AUTHORIZED && + new_state == IEEE80211_STA_ASSOC) { + /* + * De-Authorization + */ + ath10k_dbg(ATH10K_DBG_MAC, "mac sta %pM de-authorized\n", + sta->addr); + + ret = ath10k_wmi_peer_set_param(ar, arvif->vdev_id, sta->addr, + WMI_PEER_AUTHORIZE, 0); + if (ret) + ath10k_warn("Failed to de-authorize station: %pM\n", + sta->addr); } mutex_unlock(&ar->conf_mutex);
Peer authorization should be delayed until mac80211 says given station has transitioned into authorized state. The state is propagated from mac80211 for both open and protected networks. This should prevent data traffic to/from given station until authorization completes. Until now it was probably possible for unauthorized traffic to pass leading to possible security issues. Signed-off-by: Michal Kazior <michal.kazior@tieto.com> --- I've been keeping this patch in my closet apparently. Tested briefly and seems there are no regressions. drivers/net/wireless/ath/ath10k/mac.c | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-)