ccmp crashes kernel

Jouni Malinen jkmaline at cc.hut.fi
Sun Feb 8 00:21:13 EST 2004


On Wed, Feb 04, 2004 at 10:15:09PM -0800, Jouni Malinen wrote:

> Thanks, I was able to reproduce this. The crash happens when the AP
> receives a frame to the broadcast address from the station. This frame
> is sent both back to the wireless medium and to the Linux net stack.
> When the copy that is sent to wireless medium is being freed
> (dev_kfree_skb() in the end of hostap_master_start_xmit()), the kernel
> crashes because a freed memory area is used again or something has
> corrupted the skb that was first decrypted and then encrypted.

CCMP encryption ended up overwriting skb data buffer with eight bytes.
If there were not that much extra tailroom, data fragmentation data was
corrupted which ended up crashing the kernel when the skb was freed.
This is now fixed in CVS.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list