Please note: This project is no longer active. The website is kept online for historic purposes only.
If you´re looking for a Linux driver for your Atheros WLAN device, you should continue here .

Ticket #963 (closed defect: fixed)

Opened 10 years ago

Last modified 6 years ago

[patch] Channel Switch Announcement remote abuse fix / reliability improvement

Reported by: Assigned to:
Priority: blocker Milestone: version 0.9.3
Component: madwifi: other Version: v0.9.2
Keywords: Cc:
Patch is attached: 1 Pending:


See the description of Lintrack ticket:

http: //

IMHO This is quite a serious issue, so either the application of the patch should be considered or iwpriv doth 0 should be the default setting (so that users can lead themselves into problems on their own demand).

http: //

Signed-off-by: Michal Wrobel <>


009-csa_ie_handling_fix.diff (11.0 kB) - added by on 10/19/06 01:50:37.

Change History

10/19/06 01:50:37 changed by

  • attachment 009-csa_ie_handling_fix.diff added.

10/19/06 13:14:04 changed by mrenzmann

  • priority changed from major to blocker.
  • version set to v0.9.2.
  • milestone set to version 0.9.3.

The description of the referenced external ticket is as follows:

Currently, channel switch is performed only after receiving Channel Switch Announcement with Channel Switch Count <= 1. This ensures proper operation under normal conditions. However, Beacon misses happen (especially if there is a reason to leave the current channel). If the last Beacon before channel switch is lost, then STA will remain on the channel. Such a condition is not fatal, because STA will eventually recover after some time (by scanning for the BSS and rejoining). It is not optimal, though. The information that a channel switch is scheduled could have been already known thanks to prior announcements. Ignoring them is just losing the opportunity to work fluently under harsh conditions.

Of course it has a drawback. The last (lost) Beacon before scheduled channel switch could cancel it. If so, then our STA will change the channel, notice that there is no one to talk to there and then try recover as usual. However, if we lose last Beacon it is more probable that the channel switch was not cancelled and thus assuming that we decrease the probability of missing (or performing an incorrect) channel switch.

BTW It is desirable to pay more attention to received Channel Switch Announcements to avoid malicious packet injections that can cause a serious DoS.

There is currently one comment to that ticket, saying:

Unfortunately, the "BTW" remark appeared to be true. Using extremely simple packet injection, an attacker can send his own Beacon Frames with Channel Switch Announcement Information Elements. If he sets CS Count <= 1, then the client station (madwifi in STA (Managed) mode) follows it blindly and changes its operating channel. This completely interrupts communication for a significant period of time (up to 10 seconds) and therefore current design can be considered as a serious flaw allowing the attacker to perform DoS attack easily.

The idea to monitor all incoming CSA IEs gives a possibility to avoid such attacks or at least to reduce their impact to the minimum. Its implementation has been applied as r962. Its functionality in brief:

  • IEEE80211_CSA_PROTECTION_PERIOD has been introduced. It defines the minimal Channel Switch Count in the initial packet. This means that the period in which Channel Switch is announced cannot be too short. This protects the client from switching to another channel after receiving malicious CSA IE with Count <= 1.
  • Interval measurement between subsequent CSA IEs is checked against the actual CSA Count drop and the right multiplicity of Beacon Interval. It allows to react to injected packets. The actual action is to cancel the switch. It is not the ideal solution because now it is easy to enforce cancelling the switch. However, not to switch is better than to switch ;D, because the worst impact possible is disruption of communication for a few seconds needed to scan the band to find the AP. But this can potentially happen only when the switch is really going to happen and cannot be triggered by the attacker.
  • CSA parameters (Chan, Mode) are monitored for change.
  • Channel to switch to is looked up after receiving first CSA IE.
  • When any proper CSA IE is received, a timer is set up to make the switch proceed even though the terminal CSA IE has not arrived. This addresses the main task described in the ticket description.

The applied changes work fine and do much (if not the most) of what was possible to ensure proper functioning while using available IEEE802.11h facilities.

10/23/06 11:15:22 changed by kelmo

  • status changed from new to closed.
  • resolution set to fixed.

Applied: r1762.