Ubuntu
linux package

Bug #339891
Comment #98

Comment 98 for bug 339891

Revision history for this message

Gro-Tsen (david-madore) wrote on 2009-06-05:

#98

description of damaged association frames (plain text, English) Edit (2.6 KiB, text/plain)

I believe I can offer some enlightenment on what is going on behind this bug (or at least a related problem which affords the same description). When the rt2860 driver (say, version 1.8.0.0) attempts to associate to a station offering WPA/WPA2 encryption, it sends in the (association) management frame an RSN IE describing the cipher suite; but whoever wrote this bit of the source code forgot to add the appropriate header (type+length) to the data chunk in the frame. So the access point receives malformed data and, depending on how picky it is, it will ignore just the end of the data (in which case there are few problems) or the entire frame (in which case association is not possible). The incriminated code is in sta/assoc.c, function MlmeAssocReqAction(), around the call to MakeOutgoingFrame() which refers to pAd->StaCfg.RSN_IE - in fact, it's a bit more subtle, because there are several different calls with #ifdef's around them, and only one is incorrect (it forgets to refer to pAd->StaCfg.RSNIE_Len), so the bug only occurs when NATIVE_WPA_SUPPLICANT_SUPPORT is set and SIOCSIWGENIE is defined.

Now it seems that RaLink fixed this problem in a version 1.7.1.1 of their driver, but the fixed was not carried forth to the 1.8.0.0 and later versions. As far as I can make it, version 2.1.2.0 of their driver *still* has the bug (read lines 519-521 of sta/assoc.c: obviously there is a type and length field missing when compared to the next call to the same function). So I can't quite imagine why people are finding that version 2.1.2.0 fixes the problem: it definitely sends malformed frames and should be fixed.

The version of the RaLink driver which is included in the staging/ area of stock kernels will fix the problem starting from 2.6.30: the appropriate commit is this one: <URL: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=ed291e8051ee418de7ccd3507c1e783323fd1c35 > (commit ed291e80 by Adam McDaniel), which merges the 1.7.1.1 version fixes into the 1.8.0.0 version of the RaLink driver. The latter fix can trivially be backported to 2.6.28 or 2.6.29 kernels, so I would advise Ubuntu to do exactly that: use the staging/ copy of the driver and apply the patch I just linked to.

Attached is a more detailed description of the problem (including a trace of an incorrect management frame), which I sent to Greg Kroah-Hartman before noticing that the problem was fixed in 2.6.30 anyway.

I believe I can offer some enlightenment on what is going on behind this bug (or at least a related problem which affords the same description).  When the rt2860 driver (say, version 1.8.0.0) attempts to associate to a station offering WPA/WPA2 encryption, it sends in the (association) management frame an RSN IE describing the cipher suite; but whoever wrote this bit of the source code forgot to add the appropriate header (type+length) to the data chunk in the frame.  So the access point receives malformed data and, depending on how picky it is, it will ignore just the end of the data (in which case there are few problems) or the entire frame (in which case association is not possible).  The incriminated code is in sta/assoc.c, function MlmeAssocReqAction(), around the call to MakeOutgoingFrame() which refers to pAd->StaCfg.RSN_IE - in fact, it's a bit more subtle, because there are several different calls with #ifdef's around them, and only one is incorrect (it forgets to refer to pAd->StaCfg.RSNIE_Len), so the bug only occurs when NATIVE_WPA_SUPPLICANT_SUPPORT is set and SIOCSIWGENIE is defined.

Now it seems that RaLink fixed this problem in a version 1.7.1.1 of their driver, but the fixed was not carried forth to the 1.8.0.0 and later versions.  As far as I can make it, version 2.1.2.0 of their driver *still* has the bug (read lines 519-521 of sta/assoc.c: obviously there is a type and length field missing when compared to the next call to the same function).  So I can't quite imagine why people are finding that version 2.1.2.0 fixes the problem: it definitely sends malformed frames and should be fixed.

The version of the RaLink driver which is included in the staging/ area of stock kernels will fix the problem starting from 2.6.30: the appropriate commit is this one: <URL: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=ed291e8051ee418de7ccd3507c1e783323fd1c35 > (commit ed291e80 by Adam McDaniel), which merges the 1.7.1.1 version fixes into the 1.8.0.0 version of the RaLink driver.  The latter fix can trivially be backported to 2.6.28 or 2.6.29 kernels, so I would advise Ubuntu to do exactly that: use the staging/ copy of the driver and apply the patch I just linked to.

Ubuntulinux package

Comment 98 for bug 339891

Ubuntu
linux package