Return-path: <linux-wireless-owner@vger.kernel.org>
Received: from 3.mo3.mail-out.ovh.net ([46.105.44.175]:41781 "EHLO
        3.mo3.mail-out.ovh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752590AbeBALsd (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Thu, 1 Feb 2018 06:48:33 -0500
Received: from player771.ha.ovh.net (b9.ovh.net [213.186.33.59])
        by mo3.mail-out.ovh.net (Postfix) with ESMTP id B21CC19169C
        for <linux-wireless@vger.kernel.org>; Thu,  1 Feb 2018 12:48:31 +0100 (CET)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Date: Thu, 01 Feb 2018 12:48:16 +0100
From: =?UTF-8?Q?Rafa=C5=82_Mi=C5=82ecki?= <rafal@milecki.pl>
To: Hante Meuleman <hante.meuleman@broadcom.com>
Cc: Arend Van Spriel <arend.vanspriel@broadcom.com>,
        =?UTF-8?Q?Rafa=C5=82?= =?UTF-8?Q?_Mi=C5=82ecki?=
        <zajec5@gmail.com>, Kalle Valo <kvalo@codeaurora.org>,
        Franky Lin <franky.lin@broadcom.com>,
        Chi-Hsien Lin <chi-hsien.lin@cypress.com>,
        Wright Feng <wright.feng@cypress.com>,
        Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>,
        linux-wireless@vger.kernel.org,
        "BRCM80211-DEV-LIST,PDL" <brcm80211-dev-list.pdl@broadcom.com>,
        brcm80211-dev-list@cypress.com
Subject: Re: [PATCH] brcmfmac: detect & reject faked packet generated by a
 firmware
In-Reply-To: <4f6223b8083ed69432493a37d4f45b69@mail.gmail.com>
References: <20180130090922.30346-1-zajec5@gmail.com>
 <5A705B5E.5070906@broadcom.com>
 <e6719fcc4080afc43d62d370ad9cfd34@milecki.pl>
 <5A71D08B.7090905@broadcom.com>
 <4f6223b8083ed69432493a37d4f45b69@mail.gmail.com>
Message-ID: <194eff6f46f740bf11edd110de1d0b7e@milecki.pl> (sfid-20180201_124900_059676_9B47E09C)
Sender: linux-wireless-owner@vger.kernel.org
List-ID: <linux-wireless.vger.kernel.org>

On 2018-01-31 17:14, Hante Meuleman wrote:
> It is an 802.2 frame, more specifically a LLC XID frames. So why it 
> exists?
> And more over, why would we crash as an result? Decoding info can be 
> found
> here:
> 
> https://www.cisco.com/c/en/us/support/docs/ibm-technologies/logical-link-control-llc/12247-45.html#con3
> 
> The frame was likely sent by the stack from remote site PC, should be
> possible to capture with tcpdump.
> 
> I've seen these frames before, but don’t know what they are for. The 
> frame
> appears to be correctly encoded. The ethertype, is not a type, but a 
> len
> field. The only protocol with such a short len allowed is llc, see also
> 
> https://www.savvius.com/networking-glossary/ethernet/frame_formats/
> 
> So it is 802.2 (also known as LLC)

This was actually quite helpful, thanks! Googling for "802.11 LLC XID
association" pointed me to some Google-indexed books:
1) Internet Protocols: Advances, Technologies and Applications
2) Broadband Wireless Access and Local Networks: Mobile WiMax and WiFi

Both of them describe IAPP standard which appears as IEEE 802.11f on
Wikipedia. It seems to be some old & obsolete roaming standard that was
replaced by 802.11r.

There is ADD operation defined by the 802.11f which is triggered "when a
station is newly associated". It also says "The frame is sent using a
MAC source address equal to the MAC address of the station".

So far it seems to match what I'm seeing. My guess is that Broadcom's
firmware includes some kind of support for the 802.11f. I'm still not
sure if that is really firmware's responsibility to handle that though.