Hello, Short problem description: mac80211 framework sends a possibly invalid assoc request (802.11a) Patch url download (if the attachment is unusable or stripped): http://www.radiotube.org/mac80211_emptyext.diff PROBLEM DESCRIPTION The association request includes a list of supported data rates. 802.11b: 4 supported rates. 802.11g: 12 (8 + 4) supported rates. 802.11a: 8 supported rates. The rates tag of the assoc request has room for only 8 rates. In case of 802.11g an extended rate tag is appended. However in net/wireless/mlme.c an extended (empty) rate tag is also appended if the number of rates is exact 8. Pseudo-code of current mlme.c implementation: for (i = 0; i < num_rates && i < 8; i++) ... append_rate ...; if (i == 8) { /* <-- problem */ length = num_rates - i; ... append ext rate ...; } The correct way to do this should be more like: for (i = 0; i < num_rates && i < 8; i++) ... append_rate ...; if (i < num_rates) { /* <--note this */ length = num_rates - i; ... append ext rate ... } A ZyXEL G-570U access point does not accept this empty extended rates tag. It responds with a 'association denied' with code 18 (unsupported rates). I do not know if this is correct behaviour, but as far as I can see it would be wise to not send an empty extended rates tag anyway. Kernel version: Linux version 2.6.27-rc4 (sigsegv@challenger) (gcc version 4.3.1 (Debian 4.3.1-9) ) #9 SMP Sun Aug 24 22:24:27 CEST 2008 Wireless card (dmesg): iwl3945: Intel(R) PRO/Wireless 3945ABG/BG Network Connection driver for Linux, 1.2.26kds iwl3945: Copyright(c) 2003-2008 Intel Corporation iwl3945 0000:03:00.0: PCI INT A -> GSI 17 (level, low) -> IRQ 17 iwl3945 0000:03:00.0: setting latency timer to 64 iwl3945: Detected Intel Wireless WiFi Link 3945ABG iwl3945: Tunable channels: 13 802.11bg, 23 802.11a channels Debug output from mac80211 and iwl3945: phy0: HW CONFIG: freq=5180 phy0: HW CONFIG: freq=5180 wlan0_rename: Initial auth_alg=0 wlan0_rename: authenticate with AP 00:19:cb:2f:4b:95 phy0: TX to low-level driver (len=30) FC=0x00b0 DUR=0x003c A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95 phy0: HW CONFIG: freq=5180 wlan0_rename: Initial auth_alg=0 wlan0_rename: authenticate with AP 00:19:cb:2f:4b:95 phy0: TX to low-level driver (len=30) FC=0x00b0 DUR=0x003c A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95 wlan0_rename: RX authentication from 00:19:cb:2f:4b:95 (alg=0 transaction=2 status=0) wlan0_rename: authenticated wlan0_rename: associate with AP 00:19:cb:2f:4b:95 phy0: TX to low-level driver (len=46) FC=0x0000 DUR=0x003c A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95 wlan0_rename: authentication frame received from 00:19:cb:2f:4b:95, but not in authenticate state - ignored wlan0_rename: authentication frame received from 00:19:cb:2f:4b:95, but not in authenticate state - ignored wlan0_rename: RX AssocResp from 00:19:cb:2f:4b:95 (capab=0x421 status=18 aid=0) wlan0_rename: AP denied association (code=18) wlan0_rename: associate with AP 00:19:cb:2f:4b:95 phy0: TX to low-level driver (len=46) FC=0x0000 DUR=0x003c A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95 wlan0_rename: RX AssocResp from 00:19:cb:2f:4b:95 (capab=0x421 status=18 aid=0) wlan0_rename: AP denied association (code=18) wlan0_rename: associate with AP 00:19:cb:2f:4b:95 phy0: TX to low-level driver (len=46) FC=0x0000 DUR=0x003c A1=00:19:cb:2f:4b:95 A2=00:1b:77:40:82:46 A3=00:19:cb:2f:4b:95 wlan0_rename: RX AssocResp from 00:19:cb:2f:4b:95 (capab=0x421 status=18 aid=0) wlan0_rename: AP denied association (code=18) wlan0_rename: association with AP 00:19:cb:2f:4b:95 timed out Regards Jan-Espen Pettersen Patch url download (if the attachment is unusable or stripped): http://www.radiotube.org/mac80211_emptyext.diff
--- net/mac80211/mlme.c.old 2008-08-25 00:19:30.000000000 +0200 +++ net/mac80211/mlme.c 2008-08-24 22:21:16.000000000 +0200 @@ -813,7 +813,7 @@ } } - if (count == 8) { + if (count == 8 && rates_len > count) { pos = skb_put(skb, rates_len - count + 2); *pos++ = WLAN_EID_EXT_SUPP_RATES; *pos++ = rates_len - count;
Attachment:
signature.asc
Description: OpenPGP digital signature