Hello,
Short problem description:
mac80211 framework sends a possibly invalid assoc request (802.11a)
Patch url download (if the attachment is unusable or stripped):
http://www.radiotube.org/mac80211_emptyext.diff
PROBLEM DESCRIPTION
The association request includes a list of supported data rates.
802.11b: 4 supported rates.
802.11g: 12 (8 + 4) supported rates.
802.11a: 8 supported rates.
The rates tag of the assoc request has room for only 8 rates. In case of
802.11g an extended rate tag is appended. However in net/wireless/mlme.c
an extended (empty) rate tag is also appended if the number of rates is
exact 8.
Pseudo-code of current mlme.c implementation:
for (i = 0; i < num_rates && i < 8; i++)
... append_rate ...;
if (i == 8) { /* <-- problem */
length = num_rates - i;
... append ext rate ...;
}
The correct way to do this should be more like:
for (i = 0; i < num_rates && i < 8; i++)
... append_rate ...;
if (i < num_rates) { /* <--note this */
length = num_rates - i;
... append ext rate ...
}
A ZyXEL G-570U access point does not accept this empty extended rates
tag. It responds with a 'association denied' with code 18 (unsupported
rates). I do not know if this is correct behaviour, but as far as I can
see it would be wise to not send an empty extended rates tag anyway.
Kernel version:
Linux version 2.6.27-rc4 (sigsegv@challenger) (gcc version 4.3.1 (Debian
4.3.1-9) ) #9 SMP Sun Aug 24 22:24:27 CEST 2008
Wireless card (dmesg):
iwl3945: Intel(R) PRO/Wireless 3945ABG/BG Network Connection driver for
Linux, 1.2.26kds
iwl3945: Copyright(c) 2003-2008 Intel Corporation
iwl3945 0000:03:00.0: PCI INT A -> GSI 17 (level, low) -> IRQ 17
iwl3945 0000:03:00.0: setting latency timer to 64
iwl3945: Detected Intel Wireless WiFi Link 3945ABG
iwl3945: Tunable channels: 13 802.11bg, 23 802.11a channels
Debug output from mac80211 and iwl3945:
phy0: HW CONFIG: freq=5180
phy0: HW CONFIG: freq=5180
wlan0_rename: Initial auth_alg=0
wlan0_rename: authenticate with AP 00:19:cb:2f:4b:95
phy0: TX to low-level driver (len=30) FC=0x00b0 DUR=0x003c
A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95
phy0: HW CONFIG: freq=5180
wlan0_rename: Initial auth_alg=0
wlan0_rename: authenticate with AP 00:19:cb:2f:4b:95
phy0: TX to low-level driver (len=30) FC=0x00b0 DUR=0x003c
A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95
wlan0_rename: RX authentication from 00:19:cb:2f:4b:95 (alg=0
transaction=2 status=0)
wlan0_rename: authenticated
wlan0_rename: associate with AP 00:19:cb:2f:4b:95
phy0: TX to low-level driver (len=46) FC=0x0000 DUR=0x003c
A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95
wlan0_rename: authentication frame received from 00:19:cb:2f:4b:95, but
not in authenticate state - ignored
wlan0_rename: authentication frame received from 00:19:cb:2f:4b:95, but
not in authenticate state - ignored
wlan0_rename: RX AssocResp from 00:19:cb:2f:4b:95 (capab=0x421 status=18
aid=0)
wlan0_rename: AP denied association (code=18)
wlan0_rename: associate with AP 00:19:cb:2f:4b:95
phy0: TX to low-level driver (len=46) FC=0x0000 DUR=0x003c
A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95
wlan0_rename: RX AssocResp from 00:19:cb:2f:4b:95 (capab=0x421 status=18
aid=0)
wlan0_rename: AP denied association (code=18)
wlan0_rename: associate with AP 00:19:cb:2f:4b:95
phy0: TX to low-level driver (len=46) FC=0x0000 DUR=0x003c
A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95
wlan0_rename: RX AssocResp from 00:19:cb:2f:4b:95 (capab=0x421 status=18
aid=0)
wlan0_rename: AP denied association (code=18)
wlan0_rename: association with AP 00:19:cb:2f:4b:95 timed out
Regards
Jan-Espen Pettersen
Patch url download (if the attachment is unusable or stripped):
http://www.radiotube.org/mac80211_emptyext.diff
On Mon, 2008-08-25 at 01:32 +0200, Jan-Espen Pettersen wrote:
> Hello,
>
> Short problem description:
> mac80211 framework sends a possibly invalid assoc request (802.11a)
>
> Patch url download (if the attachment is unusable or stripped):
> http://www.radiotube.org/mac80211_emptyext.diff
>
> PROBLEM DESCRIPTION
> The association request includes a list of supported data rates.
>
> 802.11b: 4 supported rates.
> 802.11g: 12 (8 + 4) supported rates.
> 802.11a: 8 supported rates.
>
> The rates tag of the assoc request has room for only 8 rates. In case of
> 802.11g an extended rate tag is appended. However in net/wireless/mlme.c
> an extended (empty) rate tag is also appended if the number of rates is
> exact 8.
That seems wrong; shouldn't be sending out an empty IE.
Can you post the patch inline in email, which is the preferred method of
sending kernel patches? Also, please include a short description of the
patch as the subject, a longer explanation at the start of the mail, and
include your Signed-off-by: with your email address to indicate that you
are legally able to contribute the patch (ie that its not covered under
some NDA, obtained illegally, etc). Even though your patch is one line,
everyone needs to do this. Please see:
http://linux.yyz.us/patch-format.html
Your subject should be something like:
mac80211: don't send empty extended rates IE
Thanks!
Dan
> Pseudo-code of current mlme.c implementation:
>
> for (i = 0; i < num_rates && i < 8; i++)
> ... append_rate ...;
> if (i == 8) { /* <-- problem */
> length = num_rates - i;
> ... append ext rate ...;
> }
>
> The correct way to do this should be more like:
>
> for (i = 0; i < num_rates && i < 8; i++)
> ... append_rate ...;
> if (i < num_rates) { /* <--note this */
> length = num_rates - i;
> ... append ext rate ...
> }
>
> A ZyXEL G-570U access point does not accept this empty extended rates
> tag. It responds with a 'association denied' with code 18 (unsupported
> rates). I do not know if this is correct behaviour, but as far as I can
> see it would be wise to not send an empty extended rates tag anyway.
>
> Kernel version:
> Linux version 2.6.27-rc4 (sigsegv@challenger) (gcc version 4.3.1 (Debian
> 4.3.1-9) ) #9 SMP Sun Aug 24 22:24:27 CEST 2008
>
> Wireless card (dmesg):
> iwl3945: Intel(R) PRO/Wireless 3945ABG/BG Network Connection driver for
> Linux, 1.2.26kds
> iwl3945: Copyright(c) 2003-2008 Intel Corporation
> iwl3945 0000:03:00.0: PCI INT A -> GSI 17 (level, low) -> IRQ 17
> iwl3945 0000:03:00.0: setting latency timer to 64
> iwl3945: Detected Intel Wireless WiFi Link 3945ABG
> iwl3945: Tunable channels: 13 802.11bg, 23 802.11a channels
>
> Debug output from mac80211 and iwl3945:
> phy0: HW CONFIG: freq=5180
> phy0: HW CONFIG: freq=5180
> wlan0_rename: Initial auth_alg=0
> wlan0_rename: authenticate with AP 00:19:cb:2f:4b:95
> phy0: TX to low-level driver (len=30) FC=0x00b0 DUR=0x003c
> A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95
> phy0: HW CONFIG: freq=5180
> wlan0_rename: Initial auth_alg=0
> wlan0_rename: authenticate with AP 00:19:cb:2f:4b:95
> phy0: TX to low-level driver (len=30) FC=0x00b0 DUR=0x003c
> A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95
> wlan0_rename: RX authentication from 00:19:cb:2f:4b:95 (alg=0
> transaction=2 status=0)
> wlan0_rename: authenticated
> wlan0_rename: associate with AP 00:19:cb:2f:4b:95
> phy0: TX to low-level driver (len=46) FC=0x0000 DUR=0x003c
> A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95
> wlan0_rename: authentication frame received from 00:19:cb:2f:4b:95, but
> not in authenticate state - ignored
> wlan0_rename: authentication frame received from 00:19:cb:2f:4b:95, but
> not in authenticate state - ignored
> wlan0_rename: RX AssocResp from 00:19:cb:2f:4b:95 (capab=0x421 status=18
> aid=0)
> wlan0_rename: AP denied association (code=18)
> wlan0_rename: associate with AP 00:19:cb:2f:4b:95
> phy0: TX to low-level driver (len=46) FC=0x0000 DUR=0x003c
> A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95
> wlan0_rename: RX AssocResp from 00:19:cb:2f:4b:95 (capab=0x421 status=18
> aid=0)
> wlan0_rename: AP denied association (code=18)
> wlan0_rename: associate with AP 00:19:cb:2f:4b:95
> phy0: TX to low-level driver (len=46) FC=0x0000 DUR=0x003c
> A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95
> wlan0_rename: RX AssocResp from 00:19:cb:2f:4b:95 (capab=0x421 status=18
> aid=0)
> wlan0_rename: AP denied association (code=18)
> wlan0_rename: association with AP 00:19:cb:2f:4b:95 timed out
>
> Regards
> Jan-Espen Pettersen
>
> Patch url download (if the attachment is unusable or stripped):
> http://www.radiotube.org/mac80211_emptyext.diff
>
On Mon, Aug 25, 2008 at 5:53 PM, Dan Williams <[email protected]> wrote:
> On Mon, 2008-08-25 at 01:32 +0200, Jan-Espen Pettersen wrote:
>> Hello,
>>
>> Short problem description:
>> mac80211 framework sends a possibly invalid assoc request (802.11a)
>>
>> Patch url download (if the attachment is unusable or stripped):
>> http://www.radiotube.org/mac80211_emptyext.diff
>>
>> PROBLEM DESCRIPTION
>> The association request includes a list of supported data rates.
>>
>> 802.11b: 4 supported rates.
>> 802.11g: 12 (8 + 4) supported rates.
>> 802.11a: 8 supported rates.
>>
>> The rates tag of the assoc request has room for only 8 rates. In case of
>> 802.11g an extended rate tag is appended. However in net/wireless/mlme.c
>> an extended (empty) rate tag is also appended if the number of rates is
>> exact 8.
>
> That seems wrong; shouldn't be sending out an empty IE.
>
> Can you post the patch inline in email, which is the preferred method of
> sending kernel patches? Also, please include a short description of the
> patch as the subject, a longer explanation at the start of the mail, and
> include your Signed-off-by: with your email address to indicate that you
> are legally able to contribute the patch (ie that its not covered under
> some NDA, obtained illegally, etc). Even though your patch is one line,
> everyone needs to do this. Please see:
>
> http://linux.yyz.us/patch-format.html
>
> Your subject should be something like:
>
> mac80211: don't send empty extended rates IE
>
> Thanks!
> Dan
>
This mostly affects Cisco APs, we just hit it as well 2 weeks ago.
Tomas
>> Pseudo-code of current mlme.c implementation:
>>
>> for (i = 0; i < num_rates && i < 8; i++)
>> ... append_rate ...;
>> if (i == 8) { /* <-- problem */
>> length = num_rates - i;
>> ... append ext rate ...;
>> }
>>
>> The correct way to do this should be more like:
>>
>> for (i = 0; i < num_rates && i < 8; i++)
>> ... append_rate ...;
>> if (i < num_rates) { /* <--note this */
>> length = num_rates - i;
>> ... append ext rate ...
>> }
>>
>> A ZyXEL G-570U access point does not accept this empty extended rates
>> tag. It responds with a 'association denied' with code 18 (unsupported
>> rates). I do not know if this is correct behaviour, but as far as I can
>> see it would be wise to not send an empty extended rates tag anyway.
>>
>> Kernel version:
>> Linux version 2.6.27-rc4 (sigsegv@challenger) (gcc version 4.3.1 (Debian
>> 4.3.1-9) ) #9 SMP Sun Aug 24 22:24:27 CEST 2008
>>
>> Wireless card (dmesg):
>> iwl3945: Intel(R) PRO/Wireless 3945ABG/BG Network Connection driver for
>> Linux, 1.2.26kds
>> iwl3945: Copyright(c) 2003-2008 Intel Corporation
>> iwl3945 0000:03:00.0: PCI INT A -> GSI 17 (level, low) -> IRQ 17
>> iwl3945 0000:03:00.0: setting latency timer to 64
>> iwl3945: Detected Intel Wireless WiFi Link 3945ABG
>> iwl3945: Tunable channels: 13 802.11bg, 23 802.11a channels
>>
>> Debug output from mac80211 and iwl3945:
>> phy0: HW CONFIG: freq=5180
>> phy0: HW CONFIG: freq=5180
>> wlan0_rename: Initial auth_alg=0
>> wlan0_rename: authenticate with AP 00:19:cb:2f:4b:95
>> phy0: TX to low-level driver (len=30) FC=0x00b0 DUR=0x003c
>> A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95
>> phy0: HW CONFIG: freq=5180
>> wlan0_rename: Initial auth_alg=0
>> wlan0_rename: authenticate with AP 00:19:cb:2f:4b:95
>> phy0: TX to low-level driver (len=30) FC=0x00b0 DUR=0x003c
>> A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95
>> wlan0_rename: RX authentication from 00:19:cb:2f:4b:95 (alg=0
>> transaction=2 status=0)
>> wlan0_rename: authenticated
>> wlan0_rename: associate with AP 00:19:cb:2f:4b:95
>> phy0: TX to low-level driver (len=46) FC=0x0000 DUR=0x003c
>> A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95
>> wlan0_rename: authentication frame received from 00:19:cb:2f:4b:95, but
>> not in authenticate state - ignored
>> wlan0_rename: authentication frame received from 00:19:cb:2f:4b:95, but
>> not in authenticate state - ignored
>> wlan0_rename: RX AssocResp from 00:19:cb:2f:4b:95 (capab=0x421 status=18
>> aid=0)
>> wlan0_rename: AP denied association (code=18)
>> wlan0_rename: associate with AP 00:19:cb:2f:4b:95
>> phy0: TX to low-level driver (len=46) FC=0x0000 DUR=0x003c
>> A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95
>> wlan0_rename: RX AssocResp from 00:19:cb:2f:4b:95 (capab=0x421 status=18
>> aid=0)
>> wlan0_rename: AP denied association (code=18)
>> wlan0_rename: associate with AP 00:19:cb:2f:4b:95
>> phy0: TX to low-level driver (len=46) FC=0x0000 DUR=0x003c
>> A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95
>> wlan0_rename: RX AssocResp from 00:19:cb:2f:4b:95 (capab=0x421 status=18
>> aid=0)
>> wlan0_rename: AP denied association (code=18)
>> wlan0_rename: association with AP 00:19:cb:2f:4b:95 timed out
>>
>> Regards
>> Jan-Espen Pettersen
>>
>> Patch url download (if the attachment is unusable or stripped):
>> http://www.radiotube.org/mac80211_emptyext.diff
>>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>