Subject: kern/28676: ieee80211 association requests use wrong rate set
To: None <,,>
From: None <>
List: netbsd-bugs
Date: 12/16/2004 10:36:00
>Number:         28676
>Category:       kern
>Synopsis:       ieee80211 association requests use wrong rate set
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Dec 16 10:36:00 +0000 2004
>Originator:     Dave Hudak
>Release:        2.0 RC3
Terabeam Wireless
NetBSD logan 2.0_RC3 NetBSD 2.0_RC3 (NET45X1) #2: Mon Dec 13 16:07:01 EST 2004 i386

Packet traces of a NetBSD 2.0RC3 802.11b madwifi station
associating with a NetBSD 2.0RC3 802.11g madwifi AP.  The station sends
an association request to the AP containing extended (802.11g) rates, which it received from the AP, instead of it's own supported (802.11b) rates.

We found in ieee80211_send_mgmt() (in ieee80211_output.c), in the case where it
is sending an association request, it calls ieee80211_add_rates to
insert the rate information into the association request it is building
up as:
        ieee80211_add_rates(frm, &ni->ni_rates);
where ni is passed in from ieee80211_newstate() (in ieee80211_proto.c),
and ni was assigned with:
        ni = ic->ic_bss;

HOWEVER, in the probe request case (in ieee80211_send_mgmt() in
ieee80211_output.c), ieee80211_add_rates() was called as:
        ieee80211_add_rates(frm, &ic->ic_sup_rates[mode]);

RCS file: /home/cvs/logan-cvsroot/src/sys/net80211/ieee80211_output.c,v
retrieving revision
retrieving revision
diff -u -r1.1.4.1 -r1.1.4.2
--- src/sys/net80211/ieee80211_output.c	2004/11/19 19:36:01
+++ src/sys/net80211/ieee80211_output.c	2004/12/14 16:57:59
@@ -604,8 +604,9 @@
 		frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen);
-		frm = ieee80211_add_rates(frm, &ni->ni_rates);
-		frm = ieee80211_add_xrates(frm, &ni->ni_rates);
+		mode = ieee80211_chan2mode(ic, ni->ni_chan);
+		frm = ieee80211_add_rates(frm, &ic->ic_sup_rates[mode]);
+		frm = ieee80211_add_xrates(frm, &ic->ic_sup_rates[mode]);
 		m->m_pkthdr.len = m->m_len = frm - mtod(m, u_int8_t *);
 		timer = IEEE80211_TRANS_WAIT;