Hosting Provided By

if_wi_hostap.c kernel dos all versions openbsd

From: <merith(at)vantronix.net>
Date: Sat Dec 28 2002 - 10:27:14 EST

hello,

the openbsd 802.11b wireless hostap module contains a bug which freezes the system or slowes it down until it ist no more usable. all tested openbsd versions (3.0,3.1,3.2,3.2-current) are affected. the bug was found by reyk@vantronix.net while testing different wireless accesspoint implementations.

you can verify the bug with the void11_penetration tool from http://www.wlsec.net/void11/ . at the moment we just tested the auth attack. a small patch is at the end of this mail (load testing was not possible because the wlan on the 19c3 is not suited for test)

problem description:

wihap_shutdown - when all (or many) slots for aviable stations are used,

shutting down the ap causes the wifi card to die because
all staions are killed linear from the beginning of the
LIST() to the end .. sending 2 frames for every staion
(disassoc and deauth). the system opens to much calls to
wihap_sta_deauth() which calls wi_mgmt_xmit() which calls
wi_cmd() ... at some point the card returns "command error"
in the result field from the STATUS register.
"wi_mgmt_xmit: xmit failed" is the displayed kernel
message and the system hangs. sometimes it is possible to
get into ddb from the console sometimes not. sometimes the
system even comes back to life (if not all station slots
are used) but the systems is not more stable (got some
panics in tsleep(no trace and ps at the moment sorry)).
fix: use broadcast to deauth all station.
see hostapd for linux implementation or void11 type 1 attack.
i could not verify if the deauth works correct (systems says
so but we could not sniff the frames here on the 19c3).

wihap_sta_timeout - i added a small delay to prevent instant call of disassoc
or deauth. if the stations times out is it really
neccessary to call wihap_sta_disassoc()?

timout_* - when attacking a ap we get aprox. 50-100 station entrys per second. the granularity
of the hardclock is not fine enought and wihap_sta_timeout()
calls generate peaks in the system wich causes the same error
like wihap_shutdown() routine. i tried to add more saturation to
the timeout scala by adding a casted arc4random() value to every
timeout_add() (to every because i think the system overhead for
calling arc4random() is lower and the saturation is better when
added for every timeout_add() reset)

wihap_auth_req - if we reach the WIHAP_MAX_STATIONS limit we have either a
Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related openbsd.org Links
advocacy
announce
bugs
ipv6
misc
ports
ports-changes
security-announce
smp
source-changes
tech
Request more information about Pantek
very very big segment and the responsible admin should
recompile the driver with a new limit or we are
under attack. so we just return and dont send a frame back.

note: would it be desireble to have a counter which saves failed commands and
resets the card after a predefined amount of failures (either soft or
hard) eg. in wi_cmd?

bye mer

fix:

sys/dev/ic/if_wi_hostap.c.orig Fri Dec 27 22:45:55 2002 +++ sys/dev/ic/if_wi_hostap.c Sat Dec 28 14:52:59 2002
@@ -273,6 +273,7 @@
struct wihap_info *whi = &sc->wi_hostap_info; struct wihap_sta_info *sta, *next; - int s; - + u_int8_t all[ETHER_ADDR_LEN]; + int s, i; + if (sc->sc_arpcom.ac_if.if_flags & IFF_DEBUG) printf("wihap_shutdown: sc=0x%x whi=0x%x\n", sc, whi);
@@ -292,15 +293,4 @@
timeout_del(&sta->tmo);
- if (sc->wi_flags & WI_FLAGS_ATTACHED) {
- /* Disassociate station. */
- if (sta->flags & WI_SIFLAGS_ASSOC)
- wihap_sta_disassoc(sc, sta->addr,
- IEEE80211_REASON_ASSOC_LEAVE);
- /* Deauth station. */
- if (sta->flags & WI_SIFLAGS_AUTHEN)
- wihap_sta_deauth(sc, sta->addr,
- IEEE80211_REASON_AUTH_LEAVE);
- } - /* Delete the structure. */ if (sc->sc_arpcom.ac_if.if_flags & IFF_DEBUG)
  @@ -310,4 +300,14 @@
  sta = next; } + + /* set broadcast and response */ + memset(all, 0xFF, ETHER_ADDR_LEN); + + for(i=0; i < 5; i++) { + if (sc->wi_flags & WI_FLAGS_ATTACHED) { + wihap_sta_deauth(sc, all, IEEE80211_REASON_AUTH_LEAVE); + DELAY(50); + } + } splx(s); }
  @@ -340,4 +340,6 @@
  s = splsoftnet();

+ DELAY(100);
+

 	if (sta->flags & WI_SIFLAGS_ASSOC) {
 		if (sc->sc_arpcom.ac_if.if_flags & IFF_DEBUG)


@@ -350,5 +352,6 @@


 		sta->flags &= ~WI_SIFLAGS_ASSOC;
 
-		timeout_add(&sta->tmo, hz * whi->inactivity_time);
+		timeout_add(&sta->tmo,
+			hz * (whi->inactivity_time + (u_int8_t) arc4random()));
 
 	} else if (sta->flags & WI_SIFLAGS_AUTHEN) {


@@ -357,4 +360,6 @@


 			printf("wihap_timer: deauth due to inactivity: %s\n",
 			    ether_sprintf(sta->addr));
+		
+		/* timeout_del(&sta->tmo); */
 
 		/* Deauthenticate station. */


@@ -426,5 +431,6 @@


 	bcopy(addr, &sta->addr, ETHER_ADDR_LEN);
 	timeout_set(&sta->tmo, wihap_sta_timeout, sta);
-	timeout_add(&sta->tmo, hz * whi->inactivity_time);
+	timeout_add(&sta->tmo,
+		hz * (whi->inactivity_time + (u_int8_t) arc4random()));
 
 	return (sta);


@@ -533,9 +539,11 @@


 		}
 
-		/* Check for too many stations.
+		/* 
+		 * Check for too many stations. If we reached the limit
+		 * just return.
 		 */
 		if (whi->n_stations >= WIHAP_MAX_STATIONS) {
 			status = IEEE80211_STATUS_TOO_MANY_STATIONS;
-			goto fail;
+			return;
 		}
 


@@ -551,5 +559,6 @@


 		}
 	}
-	timeout_add(&sta->tmo, hz * whi->inactivity_time);
+	timeout_add(&sta->tmo,
+		hz * (whi->inactivity_time + (u_int8_t) arc4random()));
 
 	/* Note: it's okay to leave the station info structure around

@@ -772,5 +781,6 @@

 	sta->flags |= WI_SIFLAGS_ASSOC;
-	timeout_add(&sta->tmo, hz * whi->inactivity_time);
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related openbsd.org Links
advocacy
announce
bugs
ipv6
misc
ports
ports-changes
security-announce
smp
source-changes
tech
Request more information about Pantek
+	timeout_add(&sta->tmo,
+		hz * (whi->inactivity_time + (u_int8_t) arc4random()));
 	status = IEEE80211_STATUS_SUCCESS;
 


@@ -995,5 +1005,6 @@


 	if (sta != NULL && (sta->flags & WI_SIFLAGS_ASSOC)) {
 		/* Keep it active. */
-		timeout_add(&sta->tmo, hz * whi->inactivity_time);
+		timeout_add(&sta->tmo,
+			hz * (whi->inactivity_time + (u_int8_t) arc4random()));
 		return (1);
 	}


@@ -1023,5 +1034,6 @@


 	if (sta != NULL && (sta->flags & WI_SIFLAGS_ASSOC)) {
 		/* Keep it active. */
-		timeout_add(&sta->tmo, hz * whi->inactivity_time);
+		timeout_add(&sta->tmo,
+			hz * (whi->inactivity_time + (u_int8_t) arc4random()));
 		*txrate = txratetable[sta->tx_curr_rate];
 		splx(s);


@@ -1086,5 +1098,6 @@


 	}
 
-	timeout_add(&sta->tmo, hz * whi->inactivity_time);
+	timeout_add(&sta->tmo,
+		hz * (whi->inactivity_time + (u_int8_t) arc4random()));
 	sta->sig_info = letoh16(rxfrm->wi_q_info);
 


@@ -1207,5 +1220,6 @@


 		sta = wihap_sta_alloc(sc, reqsta.addr);
 		sta->flags = reqsta.flags;
-		timeout_add(&sta->tmo, hz * whi->inactivity_time);
+		timeout_add(&sta->tmo,
+			hz * (whi->inactivity_time + (u_int8_t) arc4random()));
 		splx(s);
 		break;

Received on Sun Dec 29 22:24:38 2002

Do you need more help?

This message: [ Message body ]
Next message: Thomas Serra: "SCSI Adaptec 29160 issue"
Previous message: merith(at)vantronix.net: ""wicontrol -l" wrong flags listing"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:29:43 EDT