more on packet injection

Giorgio kala_maico at
Sat Feb 28 12:49:37 EST 2004


sorry, I sent a mail with empty subject, I re-send it properly now.

I am back playing with packet injection: this time the problem is on 
injecting control frames.

I forge a Power Save Poll frame (which is 16 bytes long) and try to send
it to the air using the hostapd mode. I hacked the function prism2_tx_80211 
in order not to drop this packet as follows:

if (skb->len < 24) { //drop frame }

if (skb->len < 24)  { hdr_len = skb->len; flag =1; }
else hdr_len = 24;

the instruction hdr_len = 24; which appears some lines below becomes 

the "flag" variable is used when sending packet to the card (many lines
below in the code), as follows:

res = hfa384x_setup_bap(dev, BAP0, local->txfid[idx], 0);
//the above 2 lines are from original code, around line 2290
if (flag == 0) {//original code}
if (!res)
res = hfa384x_to_bap(dev, BAP0, &txdesc, sizeof(txdesc));

(basically I added the flag to be avoid messing with original code)

The frames are now sent to the air as I expected, but only a few of them
have the correct length of 16 bytes , others are 52 bytes long, others 70, 
other more than 100 bytes.

The same problem appears if I try with ACK, RTS or CTS frames.

Question is: WHY? Where is this error coming from? Is it the usual 
firmware-black-box who plays tricks or is it my mistake?

Thanks and regards,
/Giorgio Calandriello

More information about the HostAP mailing list