Panic with WEP, fragmented frames and ap_bridge_packets=1

Jouni Malinen jkmaline
Thu Nov 6 21:04:25 PST 2003

On Wed, Nov 05, 2003 at 03:00:09PM +0100, Martin Whitlock wrote:

> It seems as an old ghost has occured again. In April I reported a bug 
> where a kernel panic occured when using WEP and transmitting fragmented 
> data frames. That bug was solved (see below) but it seems as the same 
> problem still exists when fragmented, encrypted data frames are sent 
> between two ascociated clients with ap_bridge_packets=1. The problem is 
> reproducable:

Thanks for reporting this! I haven't really been testing the internal
bridging code lately.. It did not actually work at all in the
development branch and both branches had this crashing issue.

This was not actually the same old ghost; or this was just a part of it.
The fix for the bug your reported in April fixed STA->AP, not
STA1->AP->STA2 case. Of course, I missed identical bug just couple of
lines above this for the bridging case.. skb2->dev was not set and
dev_queue_xmit() ends up dereferencing a NULL pointer. One liner fix is
in CVS for both branches and attached here.

Jouni Malinen                                            PGP id EFC895FA
-------------- next part --------------
Index: driver/modules/hostap_80211_rx.c
RCS file: /home/jm/cvsroot/hostap/driver/modules/hostap_80211_rx.c,v
retrieving revision
retrieving revision
diff -u -p -U5 -r1.9.2.2 -r1.9.2.3
--- driver/modules/hostap_80211_rx.c	2 Nov 2003 19:42:57 -0000
+++ driver/modules/hostap_80211_rx.c	7 Nov 2003 04:46:50 -0000
@@ -834,10 +834,11 @@ void hostap_80211_rx(struct net_device *
 	if (skb2 != NULL) {
 		/* send to wireless media */
 		skb2->protocol = __constant_htons(ETH_P_802_3);
 		skb2->mac.raw = skb2->nh.raw = skb2->data;
 		/* skb2->nh.raw = skb2->data + ETH_HLEN; */
+		skb2->dev = dev;
 	if (skb) {
 		skb->protocol = eth_type_trans(skb, dev);

More information about the Hostap mailing list