From: Arend van Spriel <arend.vanspriel@broadcom.com>
To: "Rafał Miłecki" <rafal@milecki.pl>,
"Hante Meuleman" <hante.meuleman@broadcom.com>
Cc: "Rafał Miłecki" <zajec5@gmail.com>,
"Kalle Valo" <kvalo@codeaurora.org>,
"Franky Lin" <franky.lin@broadcom.com>,
"Chi-Hsien Lin" <chi-hsien.lin@cypress.com>,
"Wright Feng" <wright.feng@cypress.com>,
"Pieter-Paul Giesberts" <pieter-paul.giesberts@broadcom.com>,
linux-wireless@vger.kernel.org,
"BRCM80211-DEV-LIST,PDL" <brcm80211-dev-list.pdl@broadcom.com>,
brcm80211-dev-list@cypress.com
Subject: Re: [PATCH] brcmfmac: detect & reject faked packet generated by a firmware
Date: Thu, 1 Feb 2018 13:23:44 +0100 [thread overview]
Message-ID: <5A7306D0.7020900@broadcom.com> (raw)
In-Reply-To: <194eff6f46f740bf11edd110de1d0b7e@milecki.pl>
On 2/1/2018 12:48 PM, Rafał Miłecki wrote:
> On 2018-01-31 17:14, Hante Meuleman wrote:
>> It is an 802.2 frame, more specifically a LLC XID frames. So why it
>> exists?
>> And more over, why would we crash as an result? Decoding info can be
>> found
>> here:
>>
>> https://www.cisco.com/c/en/us/support/docs/ibm-technologies/logical-link-control-llc/12247-45.html#con3
>>
>>
>> The frame was likely sent by the stack from remote site PC, should be
>> possible to capture with tcpdump.
>>
>> I've seen these frames before, but don’t know what they are for. The
>> frame
>> appears to be correctly encoded. The ethertype, is not a type, but a len
>> field. The only protocol with such a short len allowed is llc, see also
>>
>> https://www.savvius.com/networking-glossary/ethernet/frame_formats/
>>
>> So it is 802.2 (also known as LLC)
>
> This was actually quite helpful, thanks! Googling for "802.11 LLC XID
> association" pointed me to some Google-indexed books:
> 1) Internet Protocols: Advances, Technologies and Applications
> 2) Broadband Wireless Access and Local Networks: Mobile WiMax and WiFi
>
> Both of them describe IAPP standard which appears as IEEE 802.11f on
> Wikipedia. It seems to be some old & obsolete roaming standard that was
> replaced by 802.11r.
>
> There is ADD operation defined by the 802.11f which is triggered "when a
> station is newly associated". It also says "The frame is sent using a
> MAC source address equal to the MAC address of the station".
>
> So far it seems to match what I'm seeing. My guess is that Broadcom's
> firmware includes some kind of support for the 802.11f. I'm still not
> sure if that is really firmware's responsibility to handle that though.
I was just writing up a reply. It is indeed an IAPP packet. So it is a
802.11f packet and our firmware implements the 802.11 stack. What makes
you think it is not firmware responsibility. It goes along with MLME
states. The firmware change has been made centuries ago as far as I can
tell.
Anyway, the packet should not have been sent back to us as it will
result in intended disassociate. So what kernel are you running on. I am
not seeing it on 4.4 kernel, but I am in the middle of another debugging
session. However, I was able to associate just fine.
Regards,
Arend
prev parent reply other threads:[~2018-02-01 12:23 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-30 9:09 [PATCH] brcmfmac: detect & reject faked packet generated by a firmware Rafał Miłecki
2018-01-30 11:30 ` Arend van Spriel
2018-01-31 13:11 ` Rafał Miłecki
2018-01-31 14:00 ` Arend van Spriel
2018-01-30 11:47 ` Arend van Spriel
2018-01-31 13:14 ` Rafał Miłecki
2018-01-31 14:19 ` Arend van Spriel
2018-01-31 16:14 ` Hante Meuleman
2018-01-31 18:02 ` Arend van Spriel
2018-02-01 10:42 ` Rafał Miłecki
2018-02-01 11:04 ` Arend van Spriel
2018-02-01 11:16 ` Rafał Miłecki
2018-02-01 11:48 ` Rafał Miłecki
2018-02-01 12:23 ` Arend van Spriel [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5A7306D0.7020900@broadcom.com \
--to=arend.vanspriel@broadcom.com \
--cc=brcm80211-dev-list.pdl@broadcom.com \
--cc=brcm80211-dev-list@cypress.com \
--cc=chi-hsien.lin@cypress.com \
--cc=franky.lin@broadcom.com \
--cc=hante.meuleman@broadcom.com \
--cc=kvalo@codeaurora.org \
--cc=linux-wireless@vger.kernel.org \
--cc=pieter-paul.giesberts@broadcom.com \
--cc=rafal@milecki.pl \
--cc=wright.feng@cypress.com \
--cc=zajec5@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).