WARP Project Forums - Wireless Open-Access Research Platform

You are not logged in.

#1 2016-Jul-13 09:37:10

From: Aachen
Registered: 2016-Jul-13
Posts: 4

Dereference uninitialized pointer in wlan_mac_packet_types.c


I've noticed that in line 394 of wlan_mac_packet_types.c (High Framework) of the current version of the 802.11 Ref. Des. a pointer gets declared:

mgmt_tag_template_t* mgmt_tag_template;

and in line 437 this pointer gets dereferenced and written to even though it was never initialized.

Normally, I would say this would cause a segmentation fault.
Did I overlook something?

According to the other packet creation methods I would guess it should be initialized as follows:

mgmt_tag_template = (mgmt_tag_template_t *)( (void *)(pkt_buf) + sizeof(mac_header_80211) + sizeof(association_response_frame) );

Even though I'm not sure, whether this is actually the correct way to initialize it.

Thank you in advance for your help.

Last edited by kirchhof (2016-Jul-13 09:43:49)



#2 2016-Jul-13 11:20:58

From: Mango Communications
Registered: 2006-Aug-24
Posts: 1212

Re: Dereference uninitialized pointer in wlan_mac_packet_types.c

You are absolutely right; thanks for catching that. The effects of that bug are pretty insidious. Association responses were not being filled in with the HT information element, but that's the least of the problems. Much worse, because mgmt_tag_template was never initialized, the address it pointed to was totally arbitrary since it would be whatever values happen to be in the stack where mgmt_tag_template is stored. Writing to arbitrary addresses could lead to really hard to debug behaviors.

Your fix in assigning mgmt_tag_template is close, but there needs to be the additional step of using mgmt_tag_template for the inclusion of the MGMT_TAG_SUPPORTED_RATES tag so they are not overwritten. I've made the fix in svn changeset 5566. Below is the new wlan_create_association_response_frame() function in its entirety if you want to copy and paste it into your project.

Thanks again for pointing this out. The fix will get formally rolled into the next release.


int wlan_create_association_response_frame(void* pkt_buf, mac_header_80211_common* common, u16 status, u16 AID, bss_info_t* bss_info) {
	u32 packetLen_bytes;

	ht_capabilities* ht_capabilities_element;
	ht_information* ht_information_element;
	wmm_parameter_t* wmm_parameter;

	mgmt_tag_template_t* mgmt_tag_template;

	mac_header_80211* assoc_80211_header;
	assoc_80211_header = (mac_header_80211*)(pkt_buf);

	assoc_80211_header->frame_control_1 = MAC_FRAME_CTRL1_SUBTYPE_ASSOC_RESP;
	assoc_80211_header->frame_control_2 = 0;
	//duration can be filled in by CPU_LOW
	assoc_80211_header->duration_id = 0;

	memcpy(assoc_80211_header->address_1, common->address_1, MAC_ADDR_LEN);
	memcpy(assoc_80211_header->address_2, common->address_2, MAC_ADDR_LEN);
	memcpy(assoc_80211_header->address_3, common->address_3, MAC_ADDR_LEN);

	assoc_80211_header->sequence_control = 0; //Will be filled in at dequeue

	association_response_frame* association_resp_mgmt_header;
	association_resp_mgmt_header = (association_response_frame*)(pkt_buf + sizeof(mac_header_80211));
	association_resp_mgmt_header->capabilities = (CAPABILITIES_ESS | CAPABILITIES_SHORT_TIMESLOT);

	association_resp_mgmt_header->status_code = status;
	association_resp_mgmt_header->association_id = 0xC000 | AID;

	mgmt_tag_template = (mgmt_tag_template_t *)( (void *)(pkt_buf) + sizeof(mac_header_80211) + sizeof(association_response_frame) );

	mgmt_tag_template->header.tag_element_id = MGMT_TAG_SUPPORTED_RATES;
	mgmt_tag_template->header.tag_length = 8;
	mgmt_tag_template->data[0] = RATE_BASIC | (0x0C);   //6Mbps  (BPSK,   1/2)
	mgmt_tag_template->data[1] = (0x12);                    //9Mbps  (BPSK,   3/4)
	mgmt_tag_template->data[2] = RATE_BASIC | (0x18);   //12Mbps (QPSK,   1/2)
	mgmt_tag_template->data[3] = (0x24);                //18Mbps (QPSK,   3/4)
	mgmt_tag_template->data[4] = RATE_BASIC | (0x30);   //24Mbps (16-QAM, 1/2)
	mgmt_tag_template->data[5] = (0x48);                //36Mbps (16-QAM, 3/4)
	mgmt_tag_template->data[6] = (0x60);                //48Mbps  (64-QAM, 2/3)
	mgmt_tag_template->data[7] = (0x6C);                //54Mbps  (64-QAM, 3/4)
	mgmt_tag_template = (void*)mgmt_tag_template + ( mgmt_tag_template->header.tag_length + sizeof(mgmt_tag_header) ); //Advance tag template forward

	if ((bss_info->capabilities) & BSS_CAPABILITIES_HT_CAPABLE) {
		//Insert HT Capabilities and HT Information tags
		mgmt_tag_template->header.tag_element_id = MGMT_TAG_HT_CAPABILITIES;
		mgmt_tag_template->header.tag_length = 26;

		ht_capabilities_element = (ht_capabilities*)mgmt_tag_template->data;
		ht_capabilities_element->ht_capabilities_info = 0x000c;
		ht_capabilities_element->a_mpdu_parameters = 0x00;
		ht_capabilities_element->rx_supported_mcs[0] = 0x000000ff;
		ht_capabilities_element->rx_supported_mcs[1] = 0x00000000;
		ht_capabilities_element->rx_supported_mcs[2] = 0x00000000;
		ht_capabilities_element->rx_supported_mcs[3] = 0x00000000;
		ht_capabilities_element->ht_extended_capabilities = 0x0000;
		ht_capabilities_element->tx_beamforming = 0x0000;
		ht_capabilities_element->ant_sel = 0x00;

		mgmt_tag_template = (void*)mgmt_tag_template + ( mgmt_tag_template->header.tag_length + sizeof(mgmt_tag_header) ); //Advance tag template forward

		mgmt_tag_template->header.tag_element_id = MGMT_TAG_HT_OPERATION;
		mgmt_tag_template->header.tag_length = 22;

		ht_information_element = (ht_information*)mgmt_tag_template->data;
		ht_information_element->channel = wlan_mac_high_bss_channel_spec_to_radio_chan(bss_info->chan_spec);
		ht_information_element->ht_info_subset_1 = 0x00;
		ht_information_element->ht_info_subset_2 = 0x0004; //One or more STAs are not greenfield compatible
		ht_information_element->ht_info_subset_3 = 0x0000;
		ht_information_element->rx_supported_mcs[0] = 0x00000000;
		ht_information_element->rx_supported_mcs[1] = 0x00000000;
		ht_information_element->rx_supported_mcs[2] = 0x00000000;
		ht_information_element->rx_supported_mcs[3] = 0x00000000;

		mgmt_tag_template = (void*)mgmt_tag_template + ( mgmt_tag_template->header.tag_length + sizeof(mgmt_tag_header) ); //Advance tag template forward

		//Insert WMM tag
		mgmt_tag_template->header.tag_element_id = MGMT_TAG_VENDOR_SPECIFIC;
		mgmt_tag_template->header.tag_length = 24;

		wmm_parameter = (wmm_parameter_t*)mgmt_tag_template->data;
		wmm_parameter->oui[0] = 0x00;
		wmm_parameter->oui[1] = 0x50;
		wmm_parameter->oui[2] = 0xf2;
		wmm_parameter->vendor_specific_oui_type = 2;
		wmm_parameter->wme_subtype = 1;
		wmm_parameter->wme_version = 1;
		wmm_parameter->wme_qos_info = 0x08;
		wmm_parameter->reserved = 0;
		wmm_parameter->aci0	= Xil_Htonl(0x03a40000);
		wmm_parameter->aci1 = Xil_Htonl(0x27a40000);
		wmm_parameter->aci2 = Xil_Htonl(0x42435e00);
		wmm_parameter->aci3 = Xil_Htonl(0x62322f00);

		mgmt_tag_template = (void*)mgmt_tag_template + ( mgmt_tag_template->header.tag_length + sizeof(mgmt_tag_header) ); //Advance tag template forward

	packetLen_bytes = ((u8*)mgmt_tag_template - (u8*)(pkt_buf)) + WLAN_PHY_FCS_NBYTES;

	return packetLen_bytes;



Board footer