Panic with WEP

Jouni Malinen jkmaline
Fri Apr 25 20:25:29 PDT 2003

On Fri, Apr 25, 2003 at 02:43:53PM -0400, Martin Whitlock wrote:

> I have experienced the same problem, but in an ARM environment with 
> 0.0.1 release and 2.4.[18|19] kernel. I have made some debugging and it 
> turns out that there is a problem with hostbased wep decryption together 
> with fragmented frames. When I use a Lucent Orinoco client in windows it 
> seems as the defualt fragmentation size is 500 bytes, which means that a 
> lot of packets will be fragmented. I beleive that it is when the last 
> fragmented frame is decrypted, the resulting buffer size is false.

Thanks! That made it easy to debug.

The crash was indeed caused by skb->dev being NULL as Justin pointed
out. This happened when defragmentation code finished assembling the
frame (i.e., when processing the last fragment). However, this was not
the only issue in host-based decryption with defragmentation.. I don't
remember when I might have broken them, but I do remember having seen
them working before ;-).

Last eight encrypted octets of the first frame were included in the
defragmented frame which of course meant that the payload was incorrect.
I cleaned up the defragmentation code a bit and fixed this.

Both host_decrypt+defrag fixes are now in CVS.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list