wpa_supplicant: Work around Linux packet socket regression

r.sperling at avm.de r.sperling at avm.de
Wed Feb 18 10:35:44 EST 2015


I've been taking a closer look at the workaround for WDS interfaces in a
bridge that respects RFC2863 operational states and found an issue with
this patch. The problem is that the workaround gets disabled by EAPOLs
forwarded by the linux bridge while the interface is not in dormant state.
This is primary the case during group rekeying. In addition, there is a
possible race condition until the netdevice entirely arrived in dormant
state and the first reception of an EAPOL of the 4-way handshake by the
kernel/supplicant. This may happen e.g. in loaded condition if the WLAN
driver has already connected to the AP but the dormant state is yet not
fully set. Hence, in both cases the workaround gets disabled although it is
still needed later on e.g. in case of a reconnection.

This faulty deactivation of the workaround may be prevented by additionally
checking the the current interface status flags for dormant state. Only if
the latter one is really set the workaround should be disabled.

Nevertheless, as already discussed on the list, this workaround is not a
really nice one including possible drawbacks like performance regression.
Hence I would like to add two other solutions as basis for discussion.

1. Most of the WLAN drivers stop all traffic if the connection is not
authorized. In addition, with older kernel version the dormant state was
ignored anyway. So we could completely remove setting dormant state in the
supplicant for the drivers.
2. If we stay with the workaround we can also consider just to enabled it
if the devices is currently in dormant state. As a result, there would be
not influence if the connection is successfully established.

Best regards and looking forward to your comments,
Robert Sperling

More information about the HostAP mailing list