ccmp crashes kernel

Jouni Malinen jkmaline
Wed Feb 4 22:15:09 PST 2004

On Tue, Feb 03, 2004 at 11:39:55AM +0100, Marco Aime wrote:

> Well, I configured a single CCMP key manually... ("hostap_crypt_conf 
> wlan0 ff:ff:ff:ff:ff:ff CCMP ...")
> The killer packets do are arp requests, but I don't think it's a matter 
> of broadcast frames since pinging broadcast does work fine

> both use HostAP, one managed and one master mode, but just the AP crashes

Thanks, I was able to reproduce this. The crash happens when the AP
receives a frame to the broadcast address from the station. This frame
is sent both back to the wireless medium and to the Linux net stack.
When the copy that is sent to wireless medium is being freed
(dev_kfree_skb() in the end of hostap_master_start_xmit()), the kernel
crashes because a freed memory area is used again or something has
corrupted the skb that was first decrypted and then encrypted.

It looks like TKIP works in this case, so the problems is likely in CCMP
implementation. However, I did not find any obvious reason for this yet.
I will continue trying to figure out what is wrong here.

If you do not need the internal bridge between multiple association
stations, you could disable ap_bridge_packet as a workaround. I was able
to ping the AP when using CCMP with this workaround. Following command
can be used to disable the bridge:

iwpriv wlan0 bridge_packets 0

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list