[PATCH 3/7] TDLS: allow extra erroneous IEs in all packets

Arik Nemtsov arik at wizery.com
Mon Feb 23 08:56:48 EST 2015

On Wed, Feb 18, 2015 at 6:01 PM, Jouni Malinen <j at w1.fi> wrote:
> On Tue, Feb 17, 2015 at 09:35:11PM -0500, Ilan Peer wrote:
>> Some APs (Cisco 1260) sometimes add invalid IEs to the end of various
>> tdls management packets. This was allowed on M3 and discovery packets, but
>> not in others. Allow it for the other packets as well, since required IEs
>> are verified in the code anyway.

I don't have a sniffer capture (or event the wpa_s log anymore), but
we encountered this on an incoming TDLS teardown packet.

> Would you be able to share a sniffer capture showing such a case? This
> seemed to be needed when the forwarded packet was shorter than minimum
> Ethernet frame (even if not really going out on Ethernet which is the
> somewhat strange part here and likely specific to some APs), but I'm not
> sure in which cases the other frames would be short enough to trigger
> this issue.
> Furthermore, these are not really supposed to be "extra erroneous IEs",
> but some arbitrary padding at the end of the "Ethernet" frame.

For this case I'm not sure what it was, but for previous cases, the
extra data looked like an IE from the CCX protocol (which I don't
really know).
But does it matter what it really is? IMO we should be lenient in what
we accept, as long as the MIC is not damaged.

For the case in hand, we had a peer that was out of sync in its TDLS
state with us, when talking through the cisco 1260, which is a pretty
unpleasant experience.


More information about the HostAP mailing list