OS X 10.6.5 kernel crash upon wlan roaming with disabled mandatory MCS

From: Attilla de Groot <attilla@attilla.nl>
To: bugtraq@securityfocus.com
Subject: OS X 10.6.5 kernel crash upon wlan roaming with disabled mandatory MCS

During the buildup at the CCC 27c3 congress in Berlin we noticed several Apple Macbooks kernel paniced while connected to the wireless network. We identified the cause of this issue and we are able to reproduce this as well.

It seems to be limited to the aluminum unibody Macbooks, running OS X 10.6.5 with the following Broadcom wireless chip:

 Card Type:            AirPort Extreme  (0x14E4, 0x8D)
 Firmware Version:     Broadcom BCM43xx 1.0 (

The problem occurs when 802.11n MCS0 (Modulation and coding scheme) is disabled on a Cisco Wireless Controller. This scheme is mandatory according to the IEEE standard (802.11n-2009, page 265). Deselecting this MCS is available through the web interface (both WCS and WLC) and the console without a notification about the fact that it is mandatory:

 (Cisco Controller) >config 802.11a disable network
 Disabling the 802.11a network may strand mesh APs. Are you sure you want to continue? (y/n)y
 (Cisco Controller) >
 (Cisco Controller) >config 802.11a 11nSupport mcs tx 0 disable
 (Cisco Controller) >config 802.11a enable network

When this option is configured and an affected Mac OSX client roams from one Cisco AP to the other, the kernel panics. This is easily reproducible by just walking to another room in the congress center.

Thanks for helping identifying the issue:
Willem Hengeveld <itsme at xs4all dot nl>
Hartmut Schroeder <hacko at hacko dot org>

Best regards,
Attilla de Groot

Relevant files:
WCS config:                    http://www.attilla.nl/osx_crash/80211n_config_wcs.png
Multiple NOC macbooks crash:   http://www.attilla.nl/osx_crash/4macbooks.jpg
Normal association response:   http://www.attilla.nl/osx_crash/association_response_normal.pcap
Response when MCS disabled:    http://www.attilla.nl/osx_crash/association_response_crash.pcap
OSX kernel panic:              http://www.attilla.nl/osx_crash/kernel_panic.txt
OSX kernel panic reproduced:   http://www.attilla.nl/osx_crash/kernel_panic_reproduced.txt

Copyright © 1995-2018 LinuxRocket.net. All rights reserved.