Call if_start() directly to send the EAPOL key.

Using if_enqueue() here, from interrupt context, might result in
the packet beeing enqueued, incorrectly encrypted, on the TX ring.

This race has been recently exposed by the re-introduction of the
TX mitigation.  It exists because the net80211 stack sets
IEEE80211_NODE_TXPROT on the node while processing the 3rd message,
assuming the answer has already been transmitted.  However a CPU
returns from if_enqueue() it cannot assume that the send queue is
empty.  So call if_start() to flush this queue.

Encrypting the 4th message of the 4way handshake with the new key
breaks WPA handshake as found the hardway by anton@.

Race analysed by dlg@, a lot of net80211 inputs and suggetions from
stsp@.

ok stsp@, dlg@

0 files changed, 0 insertions, 0 deletions