Panic with WEP

Martin Whitlock martin.whitlock
Fri Apr 25 11:43:53 PDT 2003


I have experienced the same problem, but in an ARM environment with 
0.0.1 release and 2.4.[18|19] kernel. I have made some debugging and it 
turns out that there is a problem with hostbased wep decryption together 
with fragmented frames. When I use a Lucent Orinoco client in windows it 
seems as the defualt fragmentation size is 500 bytes, which means that a 
lot of packets will be fragmented. I beleive that it is when the last 
fragmented frame is decrypted, the resulting buffer size is false.
Jouni, could this be the case?

I have sniffed the traffic with Etherreal and the frames sent from the 
client seem to be in perfect order. The problem is easily repeated by 
configuring the AP with host_decrypt = 1and letting a fragmenting client 
ping with a packetsize > frag.

/Martin


Justin Reigle wrote:

> I've recently been playing with hostap, 802.1x, and WEP in conjunction
> with a Windows XP (post-SP1) station.
>
> Simple data transfer works fine (i.e. ping). If I do anything more than
> that, it doesn't take long before a panic occurs (reproducable).
>
> I managed to track the problem down to the line of code where a null
> pointer is dereferenced. The kernel version is 2.4.17. The code is in
> linux/net/core/dev.c:netif_rx. The macro, dev_hold() is called, with
> skb->dev passed to it. Here skb->dev is null, which causes the panic.
>
> I'm not sure why skb->dev is null, or where the actual bug is. This is
> a daily snapshot of the hostap code from this past sunday (march 16th).
> I see the same behavior with a month old snapshot.
>
> Here's some ksymoops output to provide a little more information:
> --------------------
>
> CPU:    0
> EIP:    0010:[<c0198dcd>]    Not tainted
> EFLAGS: 00010046
> eax: 00000000   ebx: c3a92ea0   ecx: 00000000   edx: c3a92eb0
> esi: 00000246   edi: 00000000   ebp: c3a63e08   esp: c3a63cd0
> ds: 0018   es: 0018   ss: 0018
> Process boa (pid: 1305, stackpage=c3a63000)
> Stack: c3a8c000 c356382e 00000283 00000000 00000000 c3a92ea0 c3a92efc 
> c784b69b
>        c3a92ea0 c11d6e00 c376b820 c11ad7e0 000001f4 c3435648 00000010 
> 08000004
>        00000096 691000a7 abc9c507 c3563852 c38949ac 00000000 15b28679 
> c3a63d8c
> Call Trace: [<c784b69b>] [<c7847a2d>] [<c019570c>] [<c784a88d>] 
> [<c783d7f9>]
>    [<c01958bb>] [<c0195a33>] [<c784c05b>] [<c784b74f>] [<c0115fde>] 
> [<c0115e43>]
>    [<c01fc382>] [<c01cb987>] [<c01929a1>] [<c019570c>] [<c784c29f>] 
> [<c0192aba>]
>    [<c012c126>] [<c0115651>] [<c0106cf3>]
> Code: ff 80 dc 00 00 00 b8 e0 26 26 c0 83 c0 0c 89 43 08 8b 50 08
>
> >>EIP; c0198dcd <netif_rx+4d/110>   <=====
> Trace; c784b69b <[hostap]hostap_proc+573b/13100>
> Trace; c7847a2d <[hostap]hostap_proc+1acd/13100>
> Trace; c019570c <alloc_skb+dc/1b0>
> Trace; c784a88d <[hostap]hostap_proc+492d/13100>
> Trace; c783d7f9 <[hostap]hostap_info_process+55/1f0>
> Trace; c01958bb <kfree_skbmem+b/70>
> Trace; c0195a33 <__kfree_skb+113/120>
> Trace; c784c05b <[hostap]hostap_proc+60fb/13100>
> Trace; c784b74f <[hostap]hostap_proc+57ef/13100>
> Trace; c0115fde <tasklet_action+3e/70>
> Trace; c0115e43 <do_softirq+53/a0>
> Trace; c01fc382 <stext_lock+26a2/3516>
> Trace; c01cb987 <inet_recvmsg+37/50>
> Trace; c01929a1 <sock_recvmsg+31/b0>
> Trace; c019570c <alloc_skb+dc/1b0>
> Trace; c784c29f <[hostap]hostap_proc+633f/13100>
> Trace; c0192aba <sock_read+8a/a0>
> Trace; c012c126 <sys_read+96/d0>
> Trace; c0115651 <sys_time+11/50>
> Trace; c0106cf3 <system_call+33/40>
> Code;  c0198dcd <netif_rx+4d/110>
> 00000000 <_EIP>:
> Code;  c0198dcd <netif_rx+4d/110>   <=====
>    0:   ff 80 dc 00 00 00         incl   0xdc(%eax)   <=====
> Code;  c0198dd3 <netif_rx+53/110>
>    6:   b8 e0 26 26 c0            mov    $0xc02626e0,%eax
> Code;  c0198dd8 <netif_rx+58/110>
>    b:   83 c0 0c                  add    $0xc,%eax
> Code;  c0198ddb <netif_rx+5b/110>
>    e:   89 43 08                  mov    %eax,0x8(%ebx)
> Code;  c0198dde <netif_rx+5e/110>
>   11:   8b 50 08                  mov    0x8(%eax),%edx
>
>  <0>Kernel panic: Aiee, killing interrupt handler







More information about the Hostap mailing list