ccmp crashes kernel
jkmaline at cc.hut.fi
Sun Feb 8 00:21:13 EST 2004
On Wed, Feb 04, 2004 at 10:15:09PM -0800, Jouni Malinen wrote:
> Thanks, I was able to reproduce this. The crash happens when the AP
> receives a frame to the broadcast address from the station. This frame
> is sent both back to the wireless medium and to the Linux net stack.
> When the copy that is sent to wireless medium is being freed
> (dev_kfree_skb() in the end of hostap_master_start_xmit()), the kernel
> crashes because a freed memory area is used again or something has
> corrupted the skb that was first decrypted and then encrypted.
CCMP encryption ended up overwriting skb data buffer with eight bytes.
If there were not that much extra tailroom, data fragmentation data was
corrupted which ended up crashing the kernel when the skb was freed.
This is now fixed in CVS.
Jouni Malinen PGP id EFC895FA
More information about the HostAP