ccmp crashes kernel

Jouni Malinen jkmaline at cc.hut.fi
Mon Feb 2 22:07:55 EST 2004


On Mon, Feb 02, 2004 at 12:45:39PM +0100, Marco Aime wrote:

> caught a weird bug:
> receiving a single arp packet always causes a kernel panic when ccmp is 
> enabled
> 
> all seems to work fine when populating the arp cache manually (at least 
> both ping and tcp)

Are you are using Host AP driver in Managed mode with wpa_supplicant?
What do you mean with "single arp packet"? arp who-has request? That is
a broadcast packet and it is encrypted with another key, which might
explain some differences with the other case. If you set ARP entries
manually, AP does not need to send any broadcast frames to the station.
You should also be able to get similar behavior by trying to ping
broadcast address from the AP (or wired net if you are using bridging).

> some context information:
> - Master mode
> - kernel 2.4.20
> - latest cvs version by pserver (but same problem with snapshot tar)
> - Netgear MA311 PCI cards with firmware v1.3.6 (but updating does not help)

Hmm.. what do you mean with Master mode here? How did you set the keys?
What was the other end of the connection running?

> if it can help:
> when tring to track the problem with some printk, I stopped before the 
> skb_pull() instruction at line 978 in hostap_80211_rx.c

CVS version does not have skb_pull() on that line. There's one on line
976 (skb_pull(skb, hdrlen +6) after "remove RFC1042 or .." comment). Is
that the one you mean? The if statement just before that skb_sull() is
verifying that there is enough header bytes before removing them with
skb_pull, so it should not really crash..

Any change of you sending the full kernel panic message? 

I haven't tested CCMP with 2.4.x kernels, but at least I can't reproduce
similar problems with 2.6.x kernels when using Host AP driver in managed
mode.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list