kern/144323: [ieee80211] A response management frame appears in wireshark captures before the corresponding request management frame in HOSTAP mode

Alexander Egorenkov egorenar at gmail.com
Fri Feb 26 14:20:02 UTC 2010


>Number:         144323
>Category:       kern
>Synopsis:       [ieee80211] A response management frame appears in wireshark captures before the corresponding request management frame in HOSTAP mode
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 26 14:20:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Alexander Egorenkov
>Release:        FreeBSD 8.0 STABLE
>Organization:
>Environment:
FreeBSD dantooine 8.0-RELEASE FreeBSD 8.0-RELEASE #2: Tue Dec 15 17:56:06 CET 2009 root at dantooine:/usr/obj/usr/src/sys/MYKERNEL i386
>Description:
I was testing my Ralink WLAN driver in HOSTAP mode and noticed the following strange behaviour of net80211 while capturing frames with wireshark.
All responses to management frame requests appeared in the wireshark capture
**before** the corresponding request frames, e.g. Probe Responses before Probe Requests, Action Responses before Action Requests, Association Responses before Association Requests and so on.
I observed this behaviour only for management frames, data frames were OK.
I also did't notice this behavior in STA mode.

I could provide a wireshark capture if needed.
>How-To-Repeat:
You need a WLAN NIC that supports HOSTAP mode.
Start hostapd and capture some Probe Requests and Responses.
>Fix:
I investigated the problem and found out that
in the function ieee80211_hostap.c:hostap_input that is responsible for processing
incoming frames in HOSTAP mode a management frame is passed to bpf **after**
the call to "iv_recv_mgmt". The function pointer iv_recv_mgmt that points to
the function ieee80211_hostap.c:hostap_recv_mgmt processes received management frames and, furthermore, **sends** corresponding response frames if needed.
And when hostap_recv_mgmt is done, management frames are passed to ieee80211_radiotap_rx.

To fix the problem, the call to ieee80211_radiotap_rx in ieee80211_hostap.c:hostap_input should happen **before** the call
to iv_recv_mgmt for management frames.

>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list