wap_supplicant only gets to "Sending EAPOL-Key 2/4"

Jouni Malinen jkmaline at cc.hut.fi
Sun Sep 12 14:40:06 EDT 2004


On Sun, Sep 12, 2004 at 01:19:58PM -0400, Matt McHenry wrote:

> 	I'm using ndiswrapper 0.10 to load the driver provided on the
> installation CD (bcmw15.[inf|sys]).

> WPA: Own WPA IE - hexdump(len=24): dd 16 00 50 f2 01 01 00 00 50 f2 02
> 01 00 00 
> 50 f2 02 01 00 00 50 f2 02

> Wireless event: cmd=0x8c02 len=159
> Custom wireless event:
> 'ASSOCINFO(ReqIEs=00084d617474546f6279010882848b9624b0486
> c32048c129860dd050010180100dd160050f20101000050f2
> RespIEs=010482848b9632088c1298
> 24b048606c)'

That ReqIEs string looks truncated. The last information element,
dd160050f20101000050f2, has only 9 bytes of data (0050..f2) even though
its length field indicates that there should be 22 bytes. In other
words, it looks like the driver (NDIS or ndiswrapper) has truncated the
data. Based on this, I would direct this to ndiswrapper mailing lists.
However, thanks for reporting this here, since this also showed a bug in
wpa_supplicant: it should reject that kind of ReqIEs report and complain
loadly about it.

This truncated WPA IE ended up in wpa_supplicant using corrupted WPA IE
in the msg 2/4. WPA APs are supposed to drop that kind of packets and
are likely to deauthenticate the STA.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list