Hi, (disclaimer: I know basically nothing about 802.11)
I noticed on my AP a high counter on netstat -W "input unencrypted
packets with wep/wpa config discarded", aka is_rx_unencrypted. After
investigation it looked like all of these were frames with type Data,
but with the "No data" bit set in FC0. Per IEEE's 80211-2016.pdf
9.2.4.1.9 (page 644) the Protected bit is set to 0 for these frames, so
don't insist on them being encrypted. (See also 9.2.4.1.3, p. 640, about
bit 6 (ie. FC0_SUBTYPE_NODATA) implying no Frame Body).
diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c
index a614a67cc59..1d1720268f4 100644
--- a/sys/net80211/ieee80211_input.c
+++ b/sys/net80211/ieee80211_input.c
@@ -164,7 +164,7 @@ ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct
ieee80211_node *ni,
struct ieee80211_frame *wh;
u_int16_t *orxseq, nrxseq, qos;
u_int8_t dir, type, subtype, tid;
- int hdrlen, hasqos;
+ int hdrlen, hasqos, hasdata;
KASSERT(ni != NULL);
@@ -209,9 +209,10 @@ ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct
ieee80211_node *ni,
qos = 0;
tid = 0;
}
+ hasdata = (type == IEEE80211_FC0_TYPE_DATA &&
+ (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0);
- if (type == IEEE80211_FC0_TYPE_DATA && hasqos &&
- (subtype & IEEE80211_FC0_SUBTYPE_NODATA) == 0 &&
+ if (hasdata && hasqos &&
!(rxi->rxi_flags & IEEE80211_RXI_AMPDU_DONE)) {
int ba_state = ni->ni_rx_ba[tid].ba_state;
@@ -411,6 +412,12 @@ ieee80211_input(struct ifnet *ifp, struct mbuf *m, struct
ieee80211_node *ni,
/* protection is on for Rx */
if (!(rxi->rxi_flags & IEEE80211_RXI_HWDEC)) {
if (!(wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) {
+ /*
+ * 9.2.4.1.9 frames without data are
+ * not protected
+ */
+ if (!hasdata)
+ return;
/* drop unencrypted */
ic->ic_stats.is_rx_unencrypted++;
goto err;
--
Lauri Tirkkonen | lotheac @ IRCnet
