Modify

Opened 3 years ago

Closed 3 years ago

#18913 closed defect (upstream)

ath9k monitor packet injection problem

Reported by: mario_lopes Owned by: developers
Priority: normal Milestone:
Component: packages Version: Trunk
Keywords: ath9k mac80211 Cc:

Description

Hi.

I've made a software to inject packets on Wi-Fi, like packet spammer, and created a packet with RadioTap Header + eth frame + FCS and wrote it to mon0 interface, created from wlan0 (Ad-Hoc at 5 GHz with PSK2), in order to send that packet with a specific bitrate, overriding auto or fixed bitrate mechanisms from mac80211 / minstrel_ht.

At transmiter, capturing packet with tcpdump+wireshark, the field "MCS index" of "MCS information" show value of 8, which is the value that I did set in the packet before sending. Although, at receiving station, the same capture show that that value as been overridden to 5 and the packet was received at bitrate different that it was supposed to.

The wireless card that I'm using supports packet injection and this was supposed to work.

Also, when do command line 'iw dev wlan0 set noack_map 0x0009', the packet is received at basic rate, not at MCS 8 (using 2 streams).

Tested at r43000, ath9k, ar9220.

Thanks.

Attachments (0)

Change History (5)

comment:1 Changed 3 years ago by mario_lopes

Also, when I disable FCS, the frame is captured at emitter without 4 byte FCS at the end and at the receiver, the last 4 bytes are presented as FCS, being those the last 4 bytes of the sent frame, so frame gets corrupted because the frame size is the same on both sides.

My assumption is that FCS is calculated from injected frame minus last 4 bytes, then set FCS on and overwrite last 4 byte data frame with FCS checksum.

comment:2 Changed 3 years ago by mario_lopes

The previous comment is wrong, when testing QoS control parameters, the FCS was added at the end, so no problem with that.

Although, at emitter, setting 2 byte QoS Control to 0x0020, disabling frame Ack doesn't disable Ack, because I receive an Ack from receiver. At receiver, the frame 2 byte QoS Control is now set to 0x0000, so mac80211, ath9k or another module is changing the frame before it is sent to radio.

Thanks.

comment:3 Changed 3 years ago by mario_lopes

Changing frame source MAC address at QoS Header (sort of MAC spoofing) results in following error:

[  304.350000] Unable to handle kernel NULL pointer dereference at virtual addr0
[  304.360000] pgd = cf334000
[  304.360000] [000000f0] *pgd=2e904831, *pte=00000000, *ppte=00000000
[  304.360000] Internal error: Oops: 17 [#1] SMP ARM
[  304.360000] Modules linked in: ath9k ath9k_common pppoe ppp_async iptable_nar
[  304.360000] CPU: 0 PID: 1287 Comm: MyFrameInjector Not tainted 3.10.49 #11
[  304.360000] task: cf8b8320 ti: ce902000 task.ti: ce902000
[  304.360000] PC is at ieee80211_nullfunc_get+0x1794/0x1940 [mac80211]
[  304.360000] LR is at ieee80211_nullfunc_get+0x173c/0x1940 [mac80211]
[  304.360000] pc : [<bf1e2f84>]    lr : [<bf1e2f2c>]    psr: 60000013
[  304.360000] sp : ce903b70  ip : ce903b70  fp : ce903bbc
[  304.360000] r10: ce903bd0  r9 : 00000000  r8 : 00000002
[  304.360000] r7 : cfa34e10  r6 : cfa34b00  r5 : ce89d2e0  r4 : ce903bd0
[  304.360000] r3 : 00000088  r2 : 00000000  r1 : 00000000  r0 : 00000000
[  304.360000] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[  304.360000] Control: 00c5787d  Table: 2f33400a  DAC: 00000015
[  304.360000] Process MyFrameInjector (pid: 1287, stack limit = 0xce9021b8)
[  304.360000] Stack: (0xce903b70 to 0xce904000)
[  304.360000] 3b60:                                     cf20016c ce9b8b68 00000
[  304.360000] 3b80: 00000000 00000088 00000000 00000000 00000001 ce89d2e0 00002
[  304.360000] 3ba0: 00000022 00000001 cfa34b00 00000000 ce903c24 ce903bc0 bf1ec
[  304.360000] 3bc0: 00000000 00000020 ce89d2e0 00000000 ce903bd0 ce903bd0 00000
[  304.360000] 3be0: cfa34b00 ce9b8400 00000000 00000000 00000a00 00000002 00000
[  304.360000] 3c00: ce9b8400 cfa34b00 00000001 00000844 00000840 00000842 ce908
[  304.360000] 3c20: bf1e435c bf1e3708 00000000 bf19f7fc ce89d2e0 cfa35570 cfa30
[  304.360000] 3c40: ce903cbc ce903c50 bf1e4694 bf1e427c 00000000 cfa34b00 cfa30
[  304.360000] 3c60: bf1a3db4 ce1a4c5b 00000000 ce1a4c58 ce1a4c5a 0000000b 00001
[  304.360000] 3c80: 0000000b 0000001f 00000000 00000000 ce903cbc 00000000 ce890
[  304.360000] 3ca0: ce9b8000 bf209978 00000000 00000000 ce903cfc ce903cc0 c0230
[  304.360000] 3cc0: ce9b8000 ce9b8000 00006000 00000000 0000002d ce883180 cea1c
[  304.360000] 3ce0: ce9b8000 ce89d2e0 00000000 00000000 ce903d24 ce903d00 c0248
[  304.360000] 3d00: ce89d2e0 ce883180 ce9b8000 cea1705c cea17000 00000000 ce908
[  304.360000] 3d20: c0239ba8 c024fec8 cea1705c 0024b000 ce903ec4 00000000 c0040
[  304.360000] 3d40: ce9b8000 0000002d 00000000 0000002d 00000000 ce1a4c5e ce908
[  304.360000] 3d60: c02b2518 c0239978 0000002d cf8b8320 c05fe3a0 c05fe3a0 c03b0
[  304.360000] 3d80: c03b33a0 00000000 ce903ecc cf4e9840 00000300 00000050 00000
[  304.360000] 3da0: 00000000 00000000 00000000 cf930000 00000000 00000000 00000
[  304.360000] 3dc0: ce903ddc cf4e9840 0000002d ce903ecc cf8b8320 ce903df0 00000
[  304.360000] 3de0: ce903eb4 ce903df0 c0223108 c02b19b0 00000001 00000004 ce90d
[  304.360000] 3e00: cf4e9840 ce903e10 00000000 ce903ecc 00000004 00000000 ce900
[  304.360000] 3e20: ce86cc00 00000002 cf93c000 cf162a70 00000001 00000000 00000
[  304.360000] 3e40: 00000000 cf8b8320 00000000 00000000 00000000 00000000 ce900
[  304.360000] 3e60: 00000000 00000000 00000000 00000000 00000000 00000000 00000
[  304.360000] 3e80: 00000000 00000000 00000000 00000000 cf4e9840 0000002d 00000
[  304.360000] 3ea0: beae63e8 00000000 ce903f8c ce903eb8 c02256c8 c0223094 c0047
[  304.360000] 3ec0: 00000000 beae63e8 0000002d 00000000 00000000 ce903ec4 00000
[  304.360000] 3ee0: 00000000 00000000 c016b958 c0011344 00000001 00000000 ce9e1
[  304.360000] 3f00: cf55dd20 00000002 cea14b20 00000000 00000000 00000000 c0040
[  304.360000] 3f20: 0000002f cf55dd20 00000002 00000000 ce9e8848 00000000 ce908
[  304.360000] 3f40: c00a7538 c00dbd64 00000000 00000000 00000000 00000000 ce9e0
[  304.360000] 3f60: 0000002f b6fa2674 00000007 00d5b008 beae6c90 00000121 c0000
[  304.360000] 3f80: ce903fa4 ce903f90 c022570c c0225618 00000000 00000000 00008
[  304.360000] 3fa0: c0008e20 c02256f8 00000007 00d5b008 00000005 beae63e8 00000
[  304.360000] 3fc0: 00000007 00d5b008 beae6c90 00000121 00000000 00000000 b6fbc
[  304.360000] 3fe0: 00000000 beae5ff8 b6f114dc b6f8217c 60000010 00000005 00000
[  304.360000] Backtrace:
[  304.360000] [<bf1e2d00>] (ieee80211_nullfunc_get+0x1510/0x1940 [mac80211]) f)
[  304.360000] [<bf1e36fc>] (ieee80211_tx_prepare_skb+0x94/0x16c [mac80211]) fr)
[  304.360000] [<bf1e4270>] (ieee80211_xmit+0x0/0xf4 [mac80211]) from [<bf1e469)
[  304.360000]  r7:ce9b8400 r6:cfa34140 r5:cfa35570 r4:ce89d2e0
[  304.360000] [<bf1e4364>] (ieee80211_monitor_start_xmit+0x0/0x35c [mac80211]))
[  304.360000] [<c02394ec>] (dev_hard_start_xmit+0x0/0x480) from [<c024ff48>] ()
[  304.360000] [<c024febc>] (sch_direct_xmit+0x0/0x208) from [<c0239ba8>] (dev_)
[  304.360000]  r9:00000000 r8:cea17000 r7:cea1705c r6:ce9b8000 r5:ce883180
r4:ce89d2e0
[  304.360000] [<c023996c>] (dev_queue_xmit+0x0/0x524) from [<c02b2518>] (packe)
[  304.360000] [<c02b19a4>] (packet_sendmsg+0x0/0xcbc) from [<c0223108>] (sock_)
[  304.360000] [<c0223088>] (sock_sendmsg+0x0/0x94) from [<c02256c8>] (SyS_send)
[  304.360000]  r9:00000000 r8:beae63e8 r7:00000000 r6:00000000 r5:0000002d
r4:cf4e9840
[  304.360000] [<c022560c>] (SyS_sendto+0x0/0xe0) from [<c022570c>] (SyS_send+0)
[  304.360000]  r9:ce902000 r8:c0008fa4 r7:00000121 r6:beae6c90 r5:00d5b008
r4:00000007
[  304.360000] [<c02256ec>] (SyS_send+0x0/0x28) from [<c0008e20>] (ret_fast_sys)
[  304.360000] Code: 1595305c 051b203c 1203300f 12833014 (059270f0)
[  304.950000] ---[ end trace 8af7d3c3c496bf58 ]---
[  304.960000] Kernel panic - not syncing: Fatal exception in interrupt
[  304.960000] CPU1: stopping
[  304.960000] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G      D      3.10.49 #11
[  304.960000] Backtrace:
[  304.960000] [<c0019e24>] (dump_backtrace+0x0/0x114) from [<c001a040>] (show_)
[  304.960000]  r6:c03b2b44 r5:c03b72c8 r4:00000001 r3:00000000
[  304.960000] [<c001a028>] (show_stack+0x0/0x1c) from [<c0137e54>] (dump_stack)
[  304.960000] [<c0137e34>] (dump_stack+0x0/0x28) from [<c001bdbc>] (handle_IPI)
[  304.960000] [<c001bcec>] (handle_IPI+0x0/0x154) from [<c00084f4>] (gic_handl)
[  304.960000]  r8:c03b9a06 r7:fb004100 r6:cf865f70 r5:c03b73f0 r4:fb00410c
r3:c0017584
[  304.960000] [<c0008498>] (gic_handle_irq+0x0/0x64) from [<c0008aa0>] (__irq_)
[  304.960000] Exception stack(0xcf865f70 to 0xcf865fb8)
[  304.960000] 5f60:                                     c0605760 00000000 00020
[  304.960000] 5f80: cf864000 c03b70d0 c0325fe0 cf864000 c03b9a06 c03b9a06 cf864
[  304.960000] 5fa0: cf865fc8 cf865fb8 c0017584 c0017588 60000013 ffffffff
[  304.960000]  r7:cf865fa4 r6:ffffffff r5:60000013 r4:c0017588
[  304.960000] [<c001755c>] (arch_cpu_idle+0x0/0x34) from [<c0056284>] (cpu_sta)
[  304.960000] [<c00561b4>] (cpu_startup_entry+0x0/0x130) from [<c03a52c4>] (se)
[  304.960000]  r7:c03f7270 r3:00000000
[  304.960000] [<c03a51b4>] (secondary_start_kernel+0x0/0x130) from [<203a4a00>)
[  304.960000] Rebooting in 3 seconds..

comment:4 Changed 3 years ago by nbd

the mac spoofing related crash should be fixed in r44220
as for the no-ack issue, please report that to the linux wireless list.
it is most likely an upstream linux bug, not an openwrt specific one.

comment:5 Changed 3 years ago by nbd

  • Resolution set to upstream
  • Status changed from new to closed

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.