|
Shannon Gu
09/16/2008 6:00 PM
post13524
|
Hi Robert,
This is Shannon again, recently we have been observing some problems while testing our WIFI resource manager which
manage wireless driver in security mode;
1. packet content has been cut off; when our AP set up the mode to both WPA and WPA2, the scan results received from
ieee80211 driver showed only WPA, seems that WPA2 ie has been lost; but APs with either one mode set are fine;
2. getting scan results via select() will either time out or encounter count errors when a lot of APs (roughly more than
20) presents;
memcpy() does not guarantee to work on overlapping buffer, my question is have you seen these problems before? I think
at least this routine is very suspicious especially there are larger buffers involved, could you let me know the reason
why this has not been changed to memmove()?
Regards,
Shannon
|
|
|
|
|
|
Sean Boudreau(deleted)
09/16/2008 6:28 PM
post13526
|
On Tue, Sep 16, 2008 at 06:00:35PM -0400, Shannon Gu wrote:
> Hi Robert,
>
> This is Shannon again, recently we have been observing some problems while testing our WIFI resource manager which
manage wireless driver in security mode;
>
> 1. packet content has been cut off; when our AP set up the mode to both WPA and WPA2, the scan results received from
ieee80211 driver showed only WPA, seems that WPA2 ie has been lost; but APs with either one mode set are fine;
>
> 2. getting scan results via select() will either time out or encounter count errors when a lot of APs (roughly more
than 20) presents;
>
> memcpy() does not guarantee to work on overlapping buffer, my question is have you seen these problems before? I think
at least this routine is very suspicious especially there are larger buffers involved, could you let me know the reason
why this has not been changed to memmove()?
Which instance of memcpy() are you refering to?
-seanb
|
|
|
|
|
|
Shannon Gu
09/16/2008 6:32 PM
post13528
|
the one in ieee80211_ioctl_getscanresults() and related functions.
Thx,
Shannon
|
|
|
|
|
|
Andrew Boyd(deleted)
09/17/2008 9:14 AM
post13546
|
> memcpy() in ieee80211_ioctl_getscanresults()
Could you explain how the source and destination
pointers of the three memcpy()'s in
ieee80211_ioctl_getscanresults() could be overlapping?
I've looked through the source, and it isn't obvious
to me (sorry).
--
aboyd
|
|
|
|
|
|
Sean Boudreau(deleted)
09/17/2008 10:03 AM
post13561
|
On Tue, Sep 16, 2008 at 06:32:09PM -0400, Shannon Gu wrote:
> the one in ieee80211_ioctl_getscanresults() and related functions.
>
> Thx,
> Shannon
I don't see an issue with the three memcpy()s in
ieee80211_ioctl_getscanresults(). They're
copying from various dests to a new buffer on the
stack. The buffer on the stack then gets copied
out to userland with copyout().
-seanb
|
|
|
|
|
|
Sean Boudreau(deleted)
09/17/2008 10:08 AM
post13565
|
> On Tue, Sep 16, 2008 at 06:32:09PM -0400, Shannon Gu wrote:
> > the one in ieee80211_ioctl_getscanresults() and related functions.
> >
> > Thx,
> > Shannon
>
> I don't see an issue with the three memcpy()s in
> ieee80211_ioctl_getscanresults(). They're
> copying from various dests to a new buffer on the
^^^^^
srcs
> stack. The buffer on the stack then gets copied
> out to userland with copyout().
>
> -seanb
|
|
|
|
|
|
Robert Craig
09/17/2008 10:11 AM
post13567
|
Out of curiosity, why would you think that there's a problem with the
memcpy? Do you know for sure that all of the scan information is being
retrieved?
Don't know if this will help, but you can turn on debugging in the
802.11 stack
The debug information dump is compiled in and enabled / disabled using
sysctls. If you do:
sysctl -a | grep 80211
with a WiFi driver, you'll see net.link.ieee80211.debug and
net.link.ieee80211.vap0.debug sysctls.
sysctl -w net.link.ieee80211.debug = 1
sysctl -w net.link.ieee80211.vap0.debug=0xffffffff
turns on the debug output and now when you type "sloginfo" you'll see
the debug log output being generated.
Robert.
-----Original Message-----
From: Shannon Gu [mailto:community-noreply@qnx.com]
Sent: Tuesday, September 16, 2008 6:32 PM
To: drivers-networking
Subject: Re: memcpy()
the one in ieee80211_ioctl_getscanresults() and related functions.
Thx,
Shannon
_______________________________________________
Networking Drivers
http://community.qnx.com/sf/go/post13528
|
|
|
|
|
|
Shannon Gu
09/18/2008 12:47 PM
post13618
|
Robert,
Apparently I can not turn the debug on, which I have no idea of:
[/fcp/bin]# sysctl -a |grep 80211
net.link.ieee80211.debug = 0
net.link.ieee80211.vap0.parent = ath0
net.link.ieee80211.vap0.debug = 0
net.link.ieee80211.vap0.inact_run = 300
net.link.ieee80211.vap0.inact_probe = 30
net.link.ieee80211.vap0.inact_auth = 180
net.link.ieee80211.vap0.inact_init = 30
net.link.ieee80211.vap0.driver_caps = 126084367
net.link.ieee80211.vap0.bmiss_max = 2
[/fcp/bin]# sysctl -w net.link.ieee80211.vap0.debug = 0xffffffff
net.link.ieee80211.vap0.debug = 0
sysctl: top level name '' in '' is invalid
[/fcp/bin]# sysctl -w net.link.ieee80211.debug = 1
net.link.ieee80211.debug = 0
sysctl: top level name '' in '' is invalid
[/fcp/bin]# sysctl -a |grep 80211
net.link.ieee80211.debug = 0
net.link.ieee80211.vap0.parent = ath0
net.link.ieee80211.vap0.debug = 0
net.link.ieee80211.vap0.inact_run = 300
net.link.ieee80211.vap0.inact_probe = 30
net.link.ieee80211.vap0.inact_auth = 180
net.link.ieee80211.vap0.inact_init = 30
net.link.ieee80211.vap0.driver_caps = 126084367
net.link.ieee80211.vap0.bmiss_max = 2
[/fcp/bin]#
Could you pls. let me know what is wrong here?
Thanks a lot,
Regards,
Shannon
|
|
|
|
|
|
Andrew Boyd(deleted)
09/18/2008 12:59 PM
post13621
|
Try it without the spaces ie
# sysctl -w foo=0
--
aboyd
|
|
|
|
|
|
Shannon Gu
09/16/2008 6:30 PM
post13527
|
Regarding #1 problem in my last post "
1. packet content has been cut off; when our AP set up the mode to both WPA and WPA2, the scan results received from
ieee80211 driver showed only WPA, seems that WPA2 ie has been lost;"
when I look at source code of ieee80211_ioctl_getscanresults(); I am not quite sure if it can handle mixed mode ( when
both WPA and WPA2 presents)
it seems like only have one place for wpa_ie -- could you shed some lights here?
Thanks a lot,
Regards,
Shannon
|
|
|
|
|
|
Yao Zhao(deleted)
04/08/2009 9:47 PM
post26476
|
>
> Regarding #1 problem in my last post "
> 1. packet content has been cut off; when our AP set up the mode to both WPA
> and WPA2, the scan results received from ieee80211 driver showed only WPA,
> seems that WPA2 ie has been lost;"
>
> when I look at source code of ieee80211_ioctl_getscanresults(); I am not quite
> sure if it can handle mixed mode ( when both WPA and WPA2 presents)
> it seems like only have one place for wpa_ie -- could you shed some lights
> here?
>
> Thanks a lot,
> Regards,
> Shannon
I think that is a bug of netbsd and even head of it. I debugged stack for another problem and found: in the scan
structure there is only one scan.wpa so it caused if in a beacon there are more than one ELEMID_VENDOR(if not wme) or
ELEMID_RSN then it will only save the last one. Perhaps most likely RSN is not the last:( so you will only see WPA not
WPA2. Of course I don't know whether there is standard for this?
and Linux seems working well with this case:(
it is not memcpy problem anyway:)
|
|
|
|
|
|
Yao Zhao(deleted)
04/08/2009 10:08 PM
post26478
|
Frame 11 (166 bytes on wire, 166 bytes captured)
Arrival Time: Apr 8, 2009 22:04:17.420002000
[Time delta from previous captured frame: 0.021305000 seconds]
[Time delta from previous displayed frame: 0.021305000 seconds]
[Time since reference or first frame: 0.425976000 seconds]
Frame Number: 11
Frame Length: 166 bytes
Capture Length: 166 bytes
[Frame is marked: False]
[Protocols in frame: radiotap:wlan]
Radiotap Header v0, Length 25
Header revision: 0
Header pad: 0
Header length: 25
Present flags: 0x0000086f
.... .... .... .... .... .... .... ...1 = TSFT: True
.... .... .... .... .... .... .... ..1. = Flags: True
.... .... .... .... .... .... .... .1.. = Rate: True
.... .... .... .... .... .... .... 1... = Channel: True
.... .... .... .... .... .... ...0 .... = FHSS: False
.... .... .... .... .... .... ..1. .... = DBM Antenna Signal: True
.... .... .... .... .... .... .1.. .... = DBM Antenna Noise: True
.... .... .... .... .... .... 0... .... = Lock Quality: False
.... .... .... .... .... ...0 .... .... = TX Attenuation: False
.... .... .... .... .... ..0. .... .... = DB TX Attenuation: False
.... .... .... .... .... .0.. .... .... = DBM TX Attenuation: False
.... .... .... .... .... 1... .... .... = Antenna: True
.... .... .... .... ...0 .... .... .... = DB Antenna Signal: False
.... .... .... .... ..0. .... .... .... = DB Antenna Noise: False
.... .... .... .... .0.. .... .... .... = FCS in header: False
.... .... .... .0.. .... .... .... .... = Channel+: False
0... .... .... .... .... .... .... .... = Ext: False
MAC timestamp: 0
Flags: 0x00
.... ...0 = CFP: False
.... ..0. = Preamble: Long
.... .0.. = WEP: False
.... 0... = Fragmentation: False
...0 .... = FCS at end: False
..0. .... = Data Pad: False
.0.. .... = Bad FCS: False
0... .... = Short GI: False
Data Rate: 1.0 Mb/s
Channel frequency: 2457 [BG 10]
Channel type: 802.11b (0x00a0)
.... .... ...0 .... = Turbo: False
.... .... ..1. .... = Complementary Code Keying (CCK): True
.... .... .0.. .... = Orthogonal Frequency-Division Multiplexing (OFDM): False
.... .... 1... .... = 2 GHz spectrum: True
.... ...0 .... .... = 5 GHz spectrum: False
.... ..0. .... .... = Passive: False
.... .0.. .... .... = Dynamic CCK-OFDM: False
.... 0... .... .... = Gaussian Frequency Shift Keying (GFSK): False
...0 .... .... .... = GSM (900MHz): False
..0. .... .... .... = Static Turbo: False
.0.. .... .... .... = Half Rate Channel (10MHz Channel Width): False
0... .... .... .... = Quarter Rate Channel (5MHz Channel Width): False
SSI Signal: -35 dBm
SSI Noise: 0 dBm
Antenna: 1
IEEE 802.11 Beacon frame, Flags: ........
Type/Subtype: Beacon frame (0x08)
Frame Control: 0x0080 (Normal)
Version: 0
Type: Management frame (0)
Subtype: 8
Flags: 0x0
DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00)
.... .0.. = More Fragments: This is the last fragment
.... 0... = Retry: Frame is not being retransmitted
...0 .... = PWR MGT: STA will stay up
..0. .... = More Data: No data buffered
.0.. .... = Protected flag: Data is not protected
0... .... = Order flag: Not strictly ordered
Duration: 0
Destination address: Broadcast (ff:ff:ff:ff:ff:ff)
Source address: Cisco-Li_a1:83:64 (00:21:29:a1:83:64)
BSS Id: Cisco-Li_a1:83:64 (00:21:29:a1:83:64)
Fragment number: 0
Sequence number: 30
IEEE 802.11 wireless LAN management frame
Fixed parameters (12 bytes)
Timestamp:...
View Full Message
|
|
|
|
|
|
Robert Craig
04/09/2009 9:19 AM
post26525
|
Definitely. This might be one of those bugs that we can report back to
the NetBSD folks as well.
R.
-----Original Message-----
From: Yao Zhao [mailto:community-noreply@qnx.com]
Sent: Wednesday, April 08, 2009 10:08 PM
To: drivers-networking
Subject: Re: memcpy()
Frame 11 (166 bytes on wire, 166 bytes captured)
Arrival Time: Apr 8, 2009 22:04:17.420002000
[Time delta from previous captured frame: 0.021305000 seconds]
[Time delta from previous displayed frame: 0.021305000 seconds]
[Time since reference or first frame: 0.425976000 seconds]
Frame Number: 11
Frame Length: 166 bytes
Capture Length: 166 bytes
[Frame is marked: False]
[Protocols in frame: radiotap:wlan]
Radiotap Header v0, Length 25
Header revision: 0
Header pad: 0
Header length: 25
Present flags: 0x0000086f
.... .... .... .... .... .... .... ...1 = TSFT: True
.... .... .... .... .... .... .... ..1. = Flags: True
.... .... .... .... .... .... .... .1.. = Rate: True
.... .... .... .... .... .... .... 1... = Channel: True
.... .... .... .... .... .... ...0 .... = FHSS: False
.... .... .... .... .... .... ..1. .... = DBM Antenna Signal:
True
.... .... .... .... .... .... .1.. .... = DBM Antenna Noise:
True
.... .... .... .... .... .... 0... .... = Lock Quality: False
.... .... .... .... .... ...0 .... .... = TX Attenuation: False
.... .... .... .... .... ..0. .... .... = DB TX Attenuation:
False
.... .... .... .... .... .0.. .... .... = DBM TX Attenuation:
False
.... .... .... .... .... 1... .... .... = Antenna: True
.... .... .... .... ...0 .... .... .... = DB Antenna Signal:
False
.... .... .... .... ..0. .... .... .... = DB Antenna Noise:
False
.... .... .... .... .0.. .... .... .... = FCS in header: False
.... .... .... .0.. .... .... .... .... = Channel+: False
0... .... .... .... .... .... .... .... = Ext: False
MAC timestamp: 0
Flags: 0x00
.... ...0 = CFP: False
.... ..0. = Preamble: Long
.... .0.. = WEP: False
.... 0... = Fragmentation: False
...0 .... = FCS at end: False
..0. .... = Data Pad: False
.0.. .... = Bad FCS: False
0... .... = Short GI: False
Data Rate: 1.0 Mb/s
Channel frequency: 2457 [BG 10]
Channel type: 802.11b (0x00a0)
.... .... ...0 .... = Turbo: False
.... .... ..1. .... = Complementary Code Keying (CCK): True
.... .... .0.. .... = Orthogonal Frequency-Division Multiplexing
(OFDM): False
.... .... 1... .... = 2 GHz spectrum: True
.... ...0 .... .... = 5 GHz spectrum: False
.... ..0. .... .... = Passive: False
.... .0.. .... .... = Dynamic CCK-OFDM: False
.... 0... .... .... = Gaussian Frequency Shift Keying (GFSK):
False
...0 .... .... .... = GSM (900MHz): False
..0. .... .... .... = Static Turbo: False
.0.. .... .... .... = Half Rate Channel (10MHz Channel Width):
False
0... .... .... .... = Quarter Rate Channel (5MHz Channel Width):
False
SSI Signal: -35 dBm
SSI Noise: 0 dBm
Antenna: 1
IEEE 802.11 Beacon frame, Flags: ........
Type/Subtype: Beacon frame (0x08)
Frame Control: 0x0080 (Normal)
Version: 0
Type: Management frame (0)
Subtype: 8
Flags: 0x0
DS status: Not leaving DS or network is operating in AD-HOC
mode (To DS: 0 From DS: 0) (0x00)
.... .0.. = More Fragments: This is the last fragment
.... 0... = Retry: Frame is not being retransmitted
...0 .... = PWR MGT: STA will stay up
..0. .... = More Data: No data buffered
.0.. .... = Protected flag: Data is not protected
0... .... = Order flag: Not strictly ordered
Duration: 0
Destination...
View Full Message
|
|
|
|
|
|
Andrew Boyd(deleted)
04/09/2009 9:55 AM
post26541
|
> probably I need to file a bug for this.
Yes, please create a PR for this
(and add aboyd and seanb as cc).
Good work!
--
aboyd
|
|
|
|
|
|
