All of lore.kernel.org
 help / color / mirror / Atom feed
From: Arend van Spriel <arend.vanspriel@broadcom.com>
To: "Rafał Miłecki" <rafal@milecki.pl>,
	"Hante Meuleman" <hante.meuleman@broadcom.com>
Cc: "Rafał Miłecki" <zajec5@gmail.com>,
	"Kalle Valo" <kvalo@codeaurora.org>,
	"Franky Lin" <franky.lin@broadcom.com>,
	"Chi-Hsien Lin" <chi-hsien.lin@cypress.com>,
	"Wright Feng" <wright.feng@cypress.com>,
	"Pieter-Paul Giesberts" <pieter-paul.giesberts@broadcom.com>,
	linux-wireless@vger.kernel.org,
	"BRCM80211-DEV-LIST,PDL" <brcm80211-dev-list.pdl@broadcom.com>,
	brcm80211-dev-list@cypress.com
Subject: Re: [PATCH] brcmfmac: detect & reject faked packet generated by a firmware
Date: Thu, 1 Feb 2018 12:04:10 +0100	[thread overview]
Message-ID: <5A72F42A.5090700@broadcom.com> (raw)
In-Reply-To: <f64b5ee40e534046c47a5675a078706f@milecki.pl>

On 2/1/2018 11:42 AM, Rafał Miłecki wrote:
> On 2018-01-31 17:14, Hante Meuleman wrote:
>> It is an 802.2 frame, more specifically a LLC XID frames. So why it
>> exists?
>> And more over, why would we crash as an result? Decoding info can be
>> found
>> here:
>>
>> https://www.cisco.com/c/en/us/support/docs/ibm-technologies/logical-link-control-llc/12247-45.html#con3
>>
>>
>> The frame was likely sent by the stack from remote site PC, should be
>> possible to capture with tcpdump.
>>
>> I've seen these frames before, but don’t know what they are for. The
>> frame
>> appears to be correctly encoded. The ethertype, is not a type, but a len
>> field. The only protocol with such a short len allowed is llc, see also
>>
>> https://www.savvius.com/networking-glossary/ethernet/frame_formats/
>>
>> So it is 802.2 (also known as LLC)
>
> Please, try to accept for a moment that it may be really a *firmware*
> doing something unexpected. I feel you don't really want to trust my
> research and conclusions ;)

We do. What Hante is saying is that it is a valid packet and we should 
not discard it.

> Maybe you can spend a moment and try to reproduce this problem? It
> should be rather simple, I see this packet every time.

I tried on my OpenWrt box, which is a bridged config, but did not see it.

> Why I'm blaming a firmware:
>
> 1) I see that packet being sent no matter what device tries to connect
> (Linux, Android, Windows).
>
> 2) I can't see that packet when connecting the same devices to a
> non-Broadcom AP.
>
> 3) Running Wireshark on my Linux notebook never shows that packet
> leaving my notebook
>
> 4) Running independent device in monitor mode never catches that packet
> in the air
>
> I really tried to do my homework well before sending this patch. I see
> no other explanation for this packet's existence.

Ok.

> Could you try grepping your firmware source looking some LLC references?
> Maybe there is really something you can find there to confirm this
> issue?

Will do.

> P.S.
> Arend's right, firmware isn't crashing, I never said that :)

Regards,
Arend

  reply	other threads:[~2018-02-01 11:04 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-30  9:09 [PATCH] brcmfmac: detect & reject faked packet generated by a firmware Rafał Miłecki
2018-01-30 11:30 ` Arend van Spriel
2018-01-31 13:11   ` Rafał Miłecki
2018-01-31 14:00     ` Arend van Spriel
2018-01-30 11:47 ` Arend van Spriel
2018-01-31 13:14   ` Rafał Miłecki
2018-01-31 14:19     ` Arend van Spriel
2018-01-31 16:14       ` Hante Meuleman
2018-01-31 18:02         ` Arend van Spriel
2018-02-01 10:42         ` Rafał Miłecki
2018-02-01 11:04           ` Arend van Spriel [this message]
2018-02-01 11:16             ` Rafał Miłecki
2018-02-01 11:48         ` Rafał Miłecki
2018-02-01 12:23           ` Arend van Spriel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5A72F42A.5090700@broadcom.com \
    --to=arend.vanspriel@broadcom.com \
    --cc=brcm80211-dev-list.pdl@broadcom.com \
    --cc=brcm80211-dev-list@cypress.com \
    --cc=chi-hsien.lin@cypress.com \
    --cc=franky.lin@broadcom.com \
    --cc=hante.meuleman@broadcom.com \
    --cc=kvalo@codeaurora.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=pieter-paul.giesberts@broadcom.com \
    --cc=rafal@milecki.pl \
    --cc=wright.feng@cypress.com \
    --cc=zajec5@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.