UPDATED: DoS on hostap

Mon Apr 5 21:22:46 PDT 2004

On Sat, Apr 03, 2004 at 06:18:49AM +0100, M. Grabert wrote:

> Same for me (albeit on a rather 'obscure' platform: Linux/PA-RISC).
> 
> The entries I see in my kernel logs (of the server) are actually in the form
> 
>    "Could not find STA '00:01:XX:XX:XX:XX' for this TX error (@yyyyyyyy)"
> 
> whereas the four 'XX' bytes are the first four bytes of the *servers* wlan
> MAC address (ie. as in XX:XX:XX:XX:xx:xx).

This is supposed to mean that the driver send a packet to
00:01:XX:XX:XX:XX and that frame was not acknowledged. The processing of
the report failed because the said address was not found from STA table.
Host AP is supposed to drop the TX frame to not associated addresses,
show this should not really happen.. The off-by-two offset is somewhat
odd, though. So maybe this frame was actually to the XX:XX:XX:XX:xx:xx
address and it was misread from the wlan card.

I would expect this kind of errors with PCI cards and old firmware (PRI
1.0.5, STA 1.3.4 or older), but you seem to be using newer versions that
have some bugs fixed in PCI access.

It might be worthwhile to print out the skb data buffer in
hostap_handle_sta_tx_exc() to find out what the hardware is trying to
report. If you are willing to test this, you could use the attached
patch to change the driver to do this.

> Also interesting is that the value for 'yyyyyy' of subsequent log entries
> is always increased by 12490-12510.

That value is a timestamp (number of timer tick from the system
startup). In your case, I would assume that HZ=100, so 12500 difference
would be 125 second and that matches with what you write below.

> Another important note: the messages start to appear once a client
> connects to the server. From then on it never stops (if I disconnect/power off
> the client, the kernel log messages still continue to appear every 2:05 mins).

Were you using hostapd or not? Have you changed Host AP inactivity
timeout (normally 300 seconds)? Does the STA entry disappear from
/proc/net/hostap/wlan# within 10 minutes after you disconnect the
client? Do you get these messages even after that?

-- 
Jouni Malinen                                            PGP id EFC895FA
-------------- next part --------------
Index: driver/modules/hostap_ap.c
===================================================================
RCS file: /home/jm/cvsroot/hostap/driver/modules/hostap_ap.c,v
retrieving revision 1.96
diff -u -p -r1.96 hostap_ap.c

--- driver/modules/hostap_ap.c	6 Apr 2004 04:00:42 -0000	1.96
+++ driver/modules/hostap_ap.c	6 Apr 2004 04:21:09 -0000
@@ -2810,10 +2810,19 @@ void hostap_handle_sta_tx_exc(local_info
 	spin_lock(&local->ap->sta_table_lock);
 	sta = ap_get_sta(local->ap, hdr->addr1);
 	if (!sta) {
+		int i, len;
 		spin_unlock(&local->ap->sta_table_lock);
 		PDEBUG(DEBUG_AP, "%s: Could not find STA " MACSTR " for this "
 		       "TX error (@%lu)\n",
 		       local->dev->name, MAC2STR(hdr->addr1), jiffies);
+		len = skb->len;
+		if (len > 128)
+			len = 128;
+		printk(KERN_DEBUG "%s: TX exc[len=%d]:",
+		       local->dev->name, skb->len);
+		for (i = 0; i < len; i++)
+			printk(" %02x", skb->data[i]);
+		printk("\n");
 		return;
 	}
 

