From nobody@FreeBSD.org  Sun Feb  7 08:30:11 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D87561065676
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  7 Feb 2010 08:30:11 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id AF2A68FC18
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  7 Feb 2010 08:30:11 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o178UBlH003760
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 7 Feb 2010 08:30:11 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o178UB8e003759;
	Sun, 7 Feb 2010 08:30:11 GMT
	(envelope-from nobody)
Message-Id: <201002070830.o178UB8e003759@www.freebsd.org>
Date: Sun, 7 Feb 2010 08:30:11 GMT
From: Alexander Egorenkov <egorenar@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [ieee80211] A bug in ht_send_action_ba_addba causes net80211 to send malformed ADDBA response frames
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         143627
>Category:       kern
>Synopsis:       [ieee80211] [panic] A bug in ht_send_action_ba_addba causes net80211 to send malformed ADDBA response frames
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-net
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Feb 07 08:40:00 UTC 2010
>Closed-Date:    Tue Mar 23 13:37:16 UTC 2010
>Last-Modified:  Tue Mar 23 13:37:16 UTC 2010
>Originator:     Alexander Egorenkov
>Release:        FreeBSD 8.0 STABLE
>Organization:
>Environment:
FreeBSD dantooine 8.0-RELEASE FreeBSD 8.0-RELEASE #2: Tue Dec 15 17:56:06 CET 2009 root@dantooine:/usr/obj/usr/src/sys/MYKERNEL i386
>Description:
I'm developing an 802.11n device driver and added A-MPDU Rx support to the driver.
While testing this feature, i noticed that net80211 stack sends malformed ADDBA response frames in response to ADDBA requests from AP. The ADDBA response frames sent by net80211 stack contain 2 bytes fewer. I analyzed this problem and found out that the problem lies in the function ieee80211_ht.c:ht_send_action_ba_addba:2178.

>How-To-Repeat:

>Fix:
Here is the code snippet which causes the problem:

        if (m != NULL) {
		*frm++ = category;
		*frm++ = action;
		*frm++ = args[0];		/* dialog token */
		ADDSHORT(frm, args[1]);		/* baparamset */
		ADDSHORT(frm, args[2]);		/* batimeout */
		if (action == IEEE80211_ACTION_BA_ADDBA_REQUEST)
			ADDSHORT(frm, args[3]);	/* baseqctl */
		m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
		return ht_action_output(ni, m);
	} else {
		vap->iv_stats.is_tx_nobuf++;
		ieee80211_free_node(ni);
		return ENOMEM;
	}

I took a look into the 802.11 specification and found out that
an ADDBA response has the same size as an ADDBA request but
an ADDBA response has a status code after the dialog token field and
doesn't have a block starting sequence control (baseqctl) field.

So here is my fix to the problem:

        if (m != NULL) {
		*frm++ = category;
		*frm++ = action;

                if (action == IEEE80211_ACTION_BA_ADDBA_REQUEST)
                {
		   *frm++ = args[0];		/* dialog token */
		   ADDSHORT(frm, args[1]);	/* baparamset */
		   ADDSHORT(frm, args[2]);	/* batimeout */
	           ADDSHORT(frm, args[3]);	/* baseqctl */
                }
                else /* IEEE80211_ACTION_BA_ADDBA_RESPONSE */
                {
                   *frm++ = args[0];		/* dialog token */
                   ADDSHORT(frm, args[1]);	/* status code */
		   ADDSHORT(frm, args[2]);	/* baparamset */
		   ADDSHORT(frm, args[3]);	/* batimeout */
                }

		m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
		return ht_action_output(ni, m);
	} else {
		vap->iv_stats.is_tx_nobuf++;
		ieee80211_free_node(ni);
		return ENOMEM;
	}

>Release-Note:
>Audit-Trail:

From: Alexander Egorenkov <egorenar@googlemail.com>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: kern/143627: [ieee80211] A bug in ht_send_action_ba_addba causes 
	net80211 to send malformed ADDBA response frames
Date: Sun, 7 Feb 2010 09:56:04 +0100

 --00148530b918d1526d047efeda9b
 Content-Type: text/plain; charset=ISO-8859-1
 
 Here is a simpler version of the fix.
 
 if (m != NULL) {
     *frm++ = category;
     *frm++ = action;
     *frm++ = args[0];              /* dialog token */
     ADDSHORT(frm, args[1]); /* baparamset(ADDBA req) or status code(ADDBA
 resp) */
     ADDSHORT(frm, args[2]); /* batimeout(ADDBA req) or baparamset(ADDBA
 resp) */
     ADDSHORT(frm, args[3]); /* baseqctl(ADDBA req) or batimeout(ADDBA resp)
 */
 
     m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
     return ht_action_output(ni, m);
 } else {
     vap->iv_stats.is_tx_nobuf++;
     ieee80211_free_node(ni);
     return ENOMEM;
 }
 
 --00148530b918d1526d047efeda9b
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 Here is a simpler version of the fix.<br><br>if (m !=3D NULL) {<br>=A0=A0=
 =A0
 		*frm++ =3D category;<br>=A0=A0=A0
 		*frm++ =3D action;<br>=A0=A0=A0
 		   *frm++ =3D args[0];=A0=A0	=A0 =A0 =A0 =A0 =A0=A0	/* dialog token */<br=
 >=A0=A0=A0
 		   ADDSHORT(frm, args[1]);	/* baparamset(ADDBA req) or status code(ADDBA =
 resp) */<br>=A0=A0=A0
 		   ADDSHORT(frm, args[2]);	/* batimeout(ADDBA req) or baparamset(ADDBA re=
 sp) */<br>=A0=A0=A0
 	           ADDSHORT(frm, args[3]);	/* baseqctl(ADDBA req) or batimeout(ADD=
 BA resp) */<br><br>=A0=A0=A0
 		m-&gt;m_pkthdr.len =3D m-&gt;m_len =3D frm - mtod(m, uint8_t *);<br>=A0=
 =A0=A0
 		return ht_action_output(ni, m);<br>
 	} else {<br>=A0=A0=A0
 		vap-&gt;iv_stats.is_tx_nobuf++;<br>=A0=A0=A0
 		ieee80211_free_node(ni);<br>=A0=A0=A0
 		return ENOMEM;<br>
 	}<br>
 
 --00148530b918d1526d047efeda9b--
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Feb 7 13:04:54 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=143627 

From: Alexander Egorenkov <egorenar@googlemail.com>
To: bug-followup@FreeBSD.org, egorenar@gmail.com
Cc:  
Subject: Re: kern/143627: [ieee80211] [panic] A bug in ht_send_action_ba_addba 
	causes net80211 to send malformed ADDBA response frames
Date: Thu, 4 Mar 2010 14:18:51 +0100

 --000e0cdf70e2a59bbd0480f9702e
 Content-Type: multipart/alternative; boundary=000e0cdf70e2a59baf0480f9702c
 
 --000e0cdf70e2a59baf0480f9702c
 Content-Type: text/plain; charset=ISO-8859-1
 
 Here is a patch i used on my system.
 
 --000e0cdf70e2a59baf0480f9702c
 Content-Type: text/html; charset=ISO-8859-1
 
 Here is a patch i used on my system.<br>
 
 --000e0cdf70e2a59baf0480f9702c--
 --000e0cdf70e2a59bbd0480f9702e
 Content-Type: application/octet-stream; name="ieee80211_ht.c.patch"
 Content-Disposition: attachment; filename="ieee80211_ht.c.patch"
 Content-Transfer-Encoding: base64
 X-Attachment-Id: f_g6dl1jo20
 
 LS0tIGllZWU4MDIxMV9odC5jLm9yaWcJMjAxMC0wMy0wNCAxNDoxNjowMy4wMDAwMDAwMDAgKzAx
 MDAKKysrIGllZWU4MDIxMV9odC5jCTIwMTAtMDMtMDQgMTQ6MTg6MDYuMDAwMDAwMDAwICswMTAw
 CkBAIC0yMTc5LDEwICsyMTc5LDkgQEAKIAkJKmZybSsrID0gY2F0ZWdvcnk7CiAJCSpmcm0rKyA9
 IGFjdGlvbjsKIAkJKmZybSsrID0gYXJnc1swXTsJCS8qIGRpYWxvZyB0b2tlbiAqLwotCQlBRERT
 SE9SVChmcm0sIGFyZ3NbMV0pOwkJLyogYmFwYXJhbXNldCAqLwotCQlBRERTSE9SVChmcm0sIGFy
 Z3NbMl0pOwkJLyogYmF0aW1lb3V0ICovCi0JCWlmIChhY3Rpb24gPT0gSUVFRTgwMjExX0FDVElP
 Tl9CQV9BRERCQV9SRVFVRVNUKQotCQkJQUREU0hPUlQoZnJtLCBhcmdzWzNdKTsJLyogYmFzZXFj
 dGwgKi8KKwkJQUREU0hPUlQoZnJtLCBhcmdzWzFdKTsJCS8qIGJhcGFyYW1zZXQoQUREQkEgcmVx
 KSBvciBzdGF0dXMgY29kZShBRERCQSByZXNwKSAqLworCQlBRERTSE9SVChmcm0sIGFyZ3NbMl0p
 OwkJLyogYmF0aW1lb3V0KEFEREJBIHJlcSkgb3IgYmFwYXJhbXNldChBRERCQSByZXNwKSAqLwor
 CQlBRERTSE9SVChmcm0sIGFyZ3NbM10pOwkJLyogYmFzZXFjdGwoQUREQkEgcmVxKSBvciBiYXRp
 bWVvdXQoQUREQkEgcmVzcCkgKi8KIAkJbS0+bV9wa3RoZHIubGVuID0gbS0+bV9sZW4gPSBmcm0g
 LSBtdG9kKG0sIHVpbnQ4X3QgKik7CiAJCXJldHVybiBodF9hY3Rpb25fb3V0cHV0KG5pLCBtKTsK
 IAl9IGVsc2Ugewo=
 --000e0cdf70e2a59bbd0480f9702e--
State-Changed-From-To: open->closed 
State-Changed-By: rpaulo 
State-Changed-When: Tue Mar 23 13:36:44 UTC 2010 
State-Changed-Why:  
Fixed with a commit I made last week. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=143627 
>Unformatted:
