Date: Wed, 7 Mar 2012 15:02:13 GMT From: Mitsuru IWASAKI <iwasaki@FreeBSD.org> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/165819: [iwi][patch]iwi(4) broken >= 8.0-RELEASE Message-ID: <201203071502.q27F2Dw1061002@red.freebsd.org> Resent-Message-ID: <201203071510.q27FAC5P077471@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 165819
>Category: kern
>Synopsis: [iwi][patch]iwi(4) broken >= 8.0-RELEASE
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Mar 07 15:10:12 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Mitsuru IWASAKI
>Release: 10.0-CURRENT
>Organization:
FreeBSD committer
>Environment:
>Description:
After 8.0-RELEASE, iwi(4) doesn't send any data frames in infrastructure mode.
There is a problem in iwi_checkforqos(), wrong asresp frame parsing.
Bacause of the condition `while (frm < efrm)',
IEEE80211_VERIFY_LENGTH() was checking item length beyond the
ieee80211_frame region, and returned from iwi_checkforqos() without
setting flags, capinfo and associd!
In infrastructure mode associd is required, so this problem causes
discarding mbuf in ieee80211_start().
>How-To-Repeat:
dhclient wlan0
>Fix:
patch file attached.
Patch attached with submission follows:
Index: dev/iwi/if_iwi.c
===================================================================
RCS file: /home/ncvs/src/sys/dev/iwi/if_iwi.c,v
retrieving revision 1.80
diff -u -r1.80 if_iwi.c
--- dev/iwi/if_iwi.c 17 Dec 2011 10:23:17 -0000 1.80
+++ dev/iwi/if_iwi.c 7 Mar 2012 04:32:22 -0000
@@ -168,6 +168,7 @@
struct ieee80211_node *, int);
static int iwi_raw_xmit(struct ieee80211_node *, struct mbuf *,
const struct ieee80211_bpf_params *);
+static void iwi_update_mcast(struct ifnet *);
static void iwi_start_locked(struct ifnet *);
static void iwi_start(struct ifnet *);
static void iwi_watchdog(void *);
@@ -413,6 +414,7 @@
sc->sc_node_free = ic->ic_node_free;
ic->ic_node_free = iwi_node_free;
ic->ic_raw_xmit = iwi_raw_xmit;
+ ic->ic_update_mcast = iwi_update_mcast;
ic->ic_scan_start = iwi_scan_start;
ic->ic_scan_end = iwi_scan_end;
ic->ic_set_channel = iwi_set_channel;
@@ -1357,8 +1359,8 @@
frm += 2;
wme = NULL;
- while (frm < efrm) {
- IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1], return);
+ while (efrm - frm > 1) {
+ IEEE80211_VERIFY_LENGTH(efrm - frm, frm[1] + 2, return);
switch (*frm) {
case IEEE80211_ELEMID_VENDOR:
if (iswmeoui(frm))
@@ -1953,6 +1955,12 @@
}
static void
+iwi_update_mcast(struct ifnet *ifp)
+{
+ /* Ignore */
+}
+
+static void
iwi_start_locked(struct ifnet *ifp)
{
struct iwi_softc *sc = ifp->if_softc;
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201203071502.q27F2Dw1061002>