reaver: switch to reaver-wps-fork-t6x

Addresses #2872 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
7 years ago · 9a35d5397d
--- a/net/reaver/Makefile
+++ b/net/reaver/Makefile
@ -1,5 +1,6 @@
 #
 # Copyright (C) 2012-2015 OpenWrt.org
 # Copyright (C) 2017 Yousong Zhou
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@ -8,47 +9,48 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=reaver
 PKG_VERSION:=1.4
 PKG_RELEASE:=3
 PKG_VERSION:=1.6.3
 PKG_RELEASE:=1
 PKG_MAINTAINER:=Yousong Zhou <yszhou4tech@gmail.com>

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/reaver-wps
 PKG_HASH:=add3050a4a05fe0ab6bfb291ee2de8e9b8a85f1e64ced93ee27a75744954b22d
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=https://github.com/t6x/reaver-wps-fork-t6x/releases/download/v$(PKG_VERSION)
 PKG_HASH:=191f785f53030e4803260ada1a29ca4b42c848d56f6f3982e320d03b6117aaf2

 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=docs/LICENSE

 PKG_USE_MIPS16:=0
 PKG_AUTOMAKE_PATHS:=src
 PKG_FIXUP:=autoreconf

 include $(INCLUDE_DIR)/package.mk

 CONFIGURE_PATH:=src
 MAKE_PATH:=src
 EXTRA_CFLAGS=$(TARGET_CPPFLAGS)

 define Package/reaver
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=wireless
  TITLE:=Efficient brute force attack against Wifi Protected Setup
  URL:=https://code.google.com/p/reaver-wps/
  DEPENDS:=+libpcap +libsqlite3
  URL:=https://github.com/t6x/reaver-wps-fork-t6x
  DEPENDS:=+libpcap
 endef

 define Package/reaver/description
  Reaver targets the external registrar functionality mandated by the WiFi
  Protected Setup specification.
  Access points will provide authenticated registrars with their current
  wireless configuration (including the WPA PSK), and also accept a new
  configuration from the registrar.
  Reaver has been designed to be a robust and practical attack against Wi-Fi
  Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2
  passphrases. It has been tested against a wide variety of access points and
  WPS implementations.

  This is reaver-wps-fork-t6x, a community forked version, which has included
  various bug fixes and additional attack method (the offline Pixie Dust
  attack).
 endef

 define Package/reaver/install
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/{reaver,wash} $(1)/usr/bin/
 	$(INSTALL_DIR) $(1)/etc/reaver
 	$(INSTALL_DATA) $(PKG_BUILD_DIR)/src/reaver.db $(1)/etc/reaver/
 endef

 $(eval $(call BuildPackage,reaver))
--- a/net/reaver/patches/0001-wpscrack-big-endian-fixes.patch
+++ b/net/reaver/patches/0001-wpscrack-big-endian-fixes.patch
@ -1,565 +0,0 @@
 From 4e7af9f022996cb0a03b30f6af265b757807dfa2 Mon Sep 17 00:00:00 2001
 From: Paul Fertser <fercerpav@gmail.com>
 Date: Wed, 27 Jun 2012 17:44:55 +0400
 Subject: [PATCH 1/3] wpscrack: big-endian fixes

 This should fix access to the radiotap, 802.11, LLC/SNAP and WFA
 headers' fields. Run-time tested on an ar71xx BE system.

 Signed-off-by: Paul Fertser <fercerpav@gmail.com>
 ---
 src/80211.c    |   65 +++++++++++++++++++------------
 src/builder.c  |   23 +++++------
 src/defs.h     |  116 +++++++++++++++++++++++++++++++++++++++-----------------
 src/exchange.c |   23 ++++++-----
 src/wpsmon.c   |   13 ++++--
 5 files changed, 151 insertions(+), 89 deletions(-)

 diff --git a/src/80211.c b/src/80211.c
 index c2aff59..19f1e92 100644
 --- a/src/80211.c
 +++ b/src/80211.c
@@ -90,17 +90,19 @@ void read_ap_beacon()
                 if(header.len >= MIN_BEACON_SIZE)
                 {
                         rt_header = (struct radio_tap_header *) radio_header(packet, header.len);
 -                        frame_header = (struct dot11_frame_header *) (packet + rt_header->len);
 -
 +			size_t rt_header_len = __le16_to_cpu(rt_header->len);
 +			frame_header = (struct dot11_frame_header *) (packet + rt_header_len);
 +			
 			if(is_target(frame_header))
 			{
 -                                if(frame_header->fc.type == MANAGEMENT_FRAME && frame_header->fc.sub_type == SUBTYPE_BEACON)
 +                                if((frame_header->fc & __cpu_to_le16(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE)) ==
 +				   __cpu_to_le16(IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_BEACON))
                                 {
 -                                       	beacon = (struct beacon_management_frame *) (packet + rt_header->len + sizeof(struct dot11_frame_header));
 +                                       	beacon = (struct beacon_management_frame *) (packet + rt_header_len + sizeof(struct dot11_frame_header));
                                        	set_ap_capability(beacon->capability);
 
 					/* Obtain the SSID and channel number from the beacon packet */
 -					tag_offset = rt_header->len + sizeof(struct dot11_frame_header) + sizeof(struct beacon_management_frame);
 +					tag_offset = rt_header_len + sizeof(struct dot11_frame_header) + sizeof(struct beacon_management_frame);
 					channel = parse_beacon_tags(packet, header.len);
 					
 					/* If no channel was manually specified, switch to the AP's current channel */
@@ -135,29 +137,31 @@ int8_t signal_strength(const u_char *packet, size_t len)
 	{
 		header = (struct radio_tap_header *) packet;
 
 -		if((header->flags & SSI_FLAG) == SSI_FLAG)
 +		uint32_t flags = __le32_to_cpu(header->flags);
 +		
 +		if((flags & SSI_FLAG) == SSI_FLAG)
 		{
 -			if((header->flags & TSFT_FLAG) == TSFT_FLAG)
 +			if((flags & TSFT_FLAG) == TSFT_FLAG)
 			{
 				offset += TSFT_SIZE;
 			}
 
 -			if((header->flags & FLAGS_FLAG) == FLAGS_FLAG)
 +			if((flags & FLAGS_FLAG) == FLAGS_FLAG)
 			{
 				offset += FLAGS_SIZE;
 			}
 	
 -			if((header->flags & RATE_FLAG) == RATE_FLAG)
 +			if((flags & RATE_FLAG) == RATE_FLAG)
 			{
 				offset += RATE_SIZE;
 			}
 
 -			if((header->flags & CHANNEL_FLAG) == CHANNEL_FLAG)
 +			if((flags & CHANNEL_FLAG) == CHANNEL_FLAG)
 			{
 				offset += CHANNEL_SIZE;
 			}
 
 -			if((header->flags & FHSS_FLAG) == FHSS_FLAG)
 +			if((flags & FHSS_FLAG) == FHSS_FLAG)
 			{
 				offset += FHSS_FLAG;
 			}
@@ -196,11 +200,13 @@ int is_wps_locked()
 		if(header.len >= MIN_BEACON_SIZE)
 		{
 			rt_header = (struct radio_tap_header *) radio_header(packet, header.len);
 -			frame_header = (struct dot11_frame_header *) (packet + rt_header->len);
 +			size_t rt_header_len = __le16_to_cpu(rt_header->len);
 +			frame_header = (struct dot11_frame_header *) (packet + rt_header_len);
 
 			if(memcmp(frame_header->addr3, get_bssid(), MAC_ADDR_LEN) == 0)
 			{
 -				if(frame_header->fc.type == MANAGEMENT_FRAME && frame_header->fc.sub_type == SUBTYPE_BEACON)
 +                                if((frame_header->fc & __cpu_to_le16(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE)) ==
 +				   __cpu_to_le16(IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_BEACON))
 				{
 					if(parse_wps_parameters(packet, header.len, &wps))
 					{
@@ -411,24 +417,30 @@ int associate_recv_loop()
                 if(header.len >= MIN_AUTH_SIZE)
                 {
 			rt_header = (struct radio_tap_header *) radio_header(packet, header.len);
 -                        dot11_frame = (struct dot11_frame_header *) (packet + rt_header->len);
 +			size_t rt_header_len = __le16_to_cpu(rt_header->len);
 +			dot11_frame = (struct dot11_frame_header *) (packet + rt_header_len);
 
                         if((memcmp(dot11_frame->addr3, get_bssid(), MAC_ADDR_LEN) == 0) &&
                            (memcmp(dot11_frame->addr1, get_mac(), MAC_ADDR_LEN) == 0))
                         {
 -				if(dot11_frame->fc.type == MANAGEMENT_FRAME)
 +                                if((dot11_frame->fc & __cpu_to_le16(IEEE80211_FCTL_FTYPE)) ==
 +				   __cpu_to_le16(IEEE80211_FTYPE_MGMT))
 				{
 -                                	auth_frame = (struct authentication_management_frame *) (packet + sizeof(struct dot11_frame_header) + rt_header->len);
 -                                	assoc_frame = (struct association_response_management_frame *) (packet + sizeof(struct dot11_frame_header) + rt_header->len);
 +                                	auth_frame = (struct authentication_management_frame *) (packet + sizeof(struct dot11_frame_header) + rt_header_len);
 +                                	assoc_frame = (struct association_response_management_frame *) (packet + sizeof(struct dot11_frame_header) + rt_header_len);
 
 					/* Did we get an authentication packet with a successful status? */
 -					if((dot11_frame->fc.sub_type == SUBTYPE_AUTHENTICATION) && (auth_frame->status == AUTHENTICATION_SUCCESS))
 +					if((dot11_frame->fc & __cpu_to_le16(IEEE80211_FCTL_STYPE)) ==
 +					   __cpu_to_le16(IEEE80211_STYPE_AUTH)
 +					   && (auth_frame->status == __cpu_to_le16(AUTHENTICATION_SUCCESS)))
                                		{
                                	        	ret_val = AUTH_OK;
                                	        	break;
                                		}
 					/* Did we get an association packet with a successful status? */
 -                               		else if((dot11_frame->fc.sub_type == SUBTYPE_ASSOCIATION) && (assoc_frame->status == ASSOCIATION_SUCCESS))
 +                               		else if((dot11_frame->fc & __cpu_to_le16(IEEE80211_FCTL_STYPE)) ==
 +						__cpu_to_le16(IEEE80211_STYPE_ASSOC_RESP)
 +						&& (assoc_frame->status == __cpu_to_le16(ASSOCIATION_SUCCESS)))
 					{
 						ret_val = ASSOCIATE_OK;
 						break;
@@ -455,13 +467,14 @@ enum encryption_type supported_encryption(const u_char *packet, size_t len)
 	if(len > MIN_BEACON_SIZE)
 	{
 		rt_header = (struct radio_tap_header *) radio_header(packet, len);
 -		beacon = (struct beacon_management_frame *) (packet + rt_header->len + sizeof(struct dot11_frame_header));
 -		offset = tag_offset = rt_header->len + sizeof(struct dot11_frame_header) + sizeof(struct beacon_management_frame);
 +		size_t rt_header_len = __le16_to_cpu(rt_header->len);
 +		beacon = (struct beacon_management_frame *) (packet + rt_header_len + sizeof(struct dot11_frame_header));
 +		offset = tag_offset = rt_header_len + sizeof(struct dot11_frame_header) + sizeof(struct beacon_management_frame);
 		
 		tag_len = len - tag_offset;
 		tag_data = (const u_char *) (packet + tag_offset);
 
 -		if((beacon->capability & CAPABILITY_WEP) == CAPABILITY_WEP)
 +		if((__le16_to_cpu(beacon->capability) & CAPABILITY_WEP) == CAPABILITY_WEP)
 		{
 			enc = WEP;
 
@@ -509,7 +522,7 @@ int parse_beacon_tags(const u_char *packet, size_t len)
 	struct radio_tap_header *rt_header = NULL;
 
 	rt_header = (struct radio_tap_header *) radio_header(packet, len);
 -	tag_offset = rt_header->len + sizeof(struct dot11_frame_header) + sizeof(struct beacon_management_frame);
 +	tag_offset = __le16_to_cpu(rt_header->len) + sizeof(struct dot11_frame_header) + sizeof(struct beacon_management_frame);
 
 	if(tag_offset < len)
 	{
@@ -548,7 +561,7 @@ int parse_beacon_tags(const u_char *packet, size_t len)
 		{
 			if(ie_len  == 1)
 			{
 -				memcpy((int *) &channel, channel_data, ie_len);
 +				channel = *(uint8_t*)channel_data;
 			}
 			free(channel_data);
 		}
@@ -603,13 +616,13 @@ int check_fcs(const u_char *packet, size_t len)
 	if(len > 4)
 	{
 		/* Get the packet's reported FCS (last 4 bytes of the packet) */
 -		memcpy((uint32_t *) &fcs, (packet + (len-4)), 4);
 +		fcs = __le32_to_cpu(*(uint32_t*)(packet + (len-4)));
 
 		/* FCS is not calculated over the radio tap header */
 		if(has_rt_header())
 		{
 			rt_header = (struct radio_tap_header *) packet;
 -			offset += rt_header->len;
 +			offset += __le16_to_cpu(rt_header->len);
 		}
 
 		if(len > offset)
 diff --git a/src/builder.c b/src/builder.c
 index 37f2de7..6bf89e7 100644
 --- a/src/builder.c
 +++ b/src/builder.c
@@ -44,9 +44,8 @@ const void *build_radio_tap_header(size_t *len)
 		memset((void *) buf, 0, sizeof(struct radio_tap_header));
 		rt_header = (struct radio_tap_header *) buf;
 
 -		rt_header->len = sizeof(struct radio_tap_header);
 -	
 -		*len = rt_header->len;
 +		*len = sizeof(struct radio_tap_header);
 +		rt_header->len = __cpu_to_le16(*len);
 	}
 	
 	return buf;
@@ -67,9 +66,9 @@ const void *build_dot11_frame_header(uint16_t fc, size_t *len)
 	
 		frag_seq += SEQ_MASK;
 
 -		header->duration = DEFAULT_DURATION;
 -		memcpy((void *) &header->fc, (void *) &fc, sizeof(struct frame_control));
 -		header->frag_seq = frag_seq;
 +		header->duration = __cpu_to_le16(DEFAULT_DURATION);
 +		header->fc = __cpu_to_le16(fc);
 +		header->frag_seq = __cpu_to_le16(frag_seq);
 
 		memcpy((void *) header->addr1, get_bssid(), MAC_ADDR_LEN);
 		memcpy((void *) header->addr2, get_mac(), MAC_ADDR_LEN);
@@ -91,8 +90,8 @@ const void *build_authentication_management_frame(size_t *len)
 		memset((void *) buf, 0, *len);
 		frame = (struct authentication_management_frame *) buf;
 
 -		frame->algorithm = OPEN_SYSTEM;
 -		frame->sequence = 1;
 +		frame->algorithm = __cpu_to_le16(OPEN_SYSTEM);
 +		frame->sequence = __cpu_to_le16(1);
 		frame->status = 0;
 	}
 	
@@ -111,8 +110,8 @@ const void *build_association_management_frame(size_t *len)
 		memset((void *) buf, 0, *len);
 		frame = (struct association_request_management_frame *) buf;
 
 -		frame->capability = get_ap_capability();
 -		frame->listen_interval = LISTEN_INTERVAL;
 +		frame->capability = __cpu_to_le16(get_ap_capability());
 +		frame->listen_interval = __cpu_to_le16(LISTEN_INTERVAL);
 	}
 
 	return buf;
@@ -133,7 +132,7 @@ const void *build_llc_header(size_t *len)
 		header->dsap = LLC_SNAP;
 		header->ssap = LLC_SNAP;
 		header->control_field = UNNUMBERED_FRAME;
 -		header->type = DOT1X_AUTHENTICATION;
 +		header->type = __cpu_to_be16(DOT1X_AUTHENTICATION);
 
 	}
 
@@ -279,7 +278,7 @@ const void *build_wfa_header(uint8_t op_code, size_t *len)
 		header = (struct wfa_expanded_header *) buf;
 	
 		memcpy(header->id, WFA_VENDOR_ID, sizeof(header->id));
 -		header->type = SIMPLE_CONFIG;
 +		header->type = __cpu_to_be32(SIMPLE_CONFIG);
 		header->opcode = op_code;
 	}
 	
 diff --git a/src/defs.h b/src/defs.h
 index b2f45ea..0c628e7 100644
 --- a/src/defs.h
 +++ b/src/defs.h
@@ -41,6 +41,7 @@
 #include <string.h>
 #include <time.h>
 #include <pcap.h>
 +#include <asm/byteorder.h>
 
 #include "wps.h"
 
@@ -65,10 +66,10 @@
 #define MANAGEMENT_FRAME	0x00
 #define SUBTYPE_BEACON		0x08
 
 -#define DOT1X_AUTHENTICATION	0x8E88
 +#define DOT1X_AUTHENTICATION	0x888E
 #define DOT1X_EAP_PACKET	0x00
 
 -#define SIMPLE_CONFIG		0x01000000
 +#define SIMPLE_CONFIG		0x00000001
 
 #define P1_SIZE			10000
 #define P2_SIZE			1000
@@ -282,66 +283,111 @@ enum wfa_elements
 	WEP_TRANSMIT_KEY = 0x10064
 };
 
 +#define IEEE80211_FCTL_VERS		0x0003
 +#define IEEE80211_FCTL_FTYPE		0x000c
 +#define IEEE80211_FCTL_STYPE		0x00f0
 +#define IEEE80211_FCTL_TODS		0x0100
 +#define IEEE80211_FCTL_FROMDS		0x0200
 +#define IEEE80211_FCTL_MOREFRAGS	0x0400
 +#define IEEE80211_FCTL_RETRY		0x0800
 +#define IEEE80211_FCTL_PM		0x1000
 +#define IEEE80211_FCTL_MOREDATA		0x2000
 +#define IEEE80211_FCTL_PROTECTED	0x4000
 +#define IEEE80211_FCTL_ORDER		0x8000
 +
 +#define IEEE80211_SCTL_FRAG		0x000F
 +#define IEEE80211_SCTL_SEQ		0xFFF0
 +
 +#define IEEE80211_FTYPE_MGMT		0x0000
 +#define IEEE80211_FTYPE_CTL		0x0004
 +#define IEEE80211_FTYPE_DATA		0x0008
 +
 +/* management */
 +#define IEEE80211_STYPE_ASSOC_REQ	0x0000
 +#define IEEE80211_STYPE_ASSOC_RESP	0x0010
 +#define IEEE80211_STYPE_REASSOC_REQ	0x0020
 +#define IEEE80211_STYPE_REASSOC_RESP	0x0030
 +#define IEEE80211_STYPE_PROBE_REQ	0x0040
 +#define IEEE80211_STYPE_PROBE_RESP	0x0050
 +#define IEEE80211_STYPE_BEACON		0x0080
 +#define IEEE80211_STYPE_ATIM		0x0090
 +#define IEEE80211_STYPE_DISASSOC	0x00A0
 +#define IEEE80211_STYPE_AUTH		0x00B0
 +#define IEEE80211_STYPE_DEAUTH		0x00C0
 +#define IEEE80211_STYPE_ACTION		0x00D0
 +
 +/* control */
 +#define IEEE80211_STYPE_BACK_REQ	0x0080
 +#define IEEE80211_STYPE_BACK		0x0090
 +#define IEEE80211_STYPE_PSPOLL		0x00A0
 +#define IEEE80211_STYPE_RTS		0x00B0
 +#define IEEE80211_STYPE_CTS		0x00C0
 +#define IEEE80211_STYPE_ACK		0x00D0
 +#define IEEE80211_STYPE_CFEND		0x00E0
 +#define IEEE80211_STYPE_CFENDACK	0x00F0
 +
 +/* data */
 +#define IEEE80211_STYPE_DATA			0x0000
 +#define IEEE80211_STYPE_DATA_CFACK		0x0010
 +#define IEEE80211_STYPE_DATA_CFPOLL		0x0020
 +#define IEEE80211_STYPE_DATA_CFACKPOLL		0x0030
 +#define IEEE80211_STYPE_NULLFUNC		0x0040
 +#define IEEE80211_STYPE_CFACK			0x0050
 +#define IEEE80211_STYPE_CFPOLL			0x0060
 +#define IEEE80211_STYPE_CFACKPOLL		0x0070
 +#define IEEE80211_STYPE_QOS_DATA		0x0080
 +#define IEEE80211_STYPE_QOS_DATA_CFACK		0x0090
 +#define IEEE80211_STYPE_QOS_DATA_CFPOLL		0x00A0
 +#define IEEE80211_STYPE_QOS_DATA_CFACKPOLL	0x00B0
 +#define IEEE80211_STYPE_QOS_NULLFUNC		0x00C0
 +#define IEEE80211_STYPE_QOS_CFACK		0x00D0
 +#define IEEE80211_STYPE_QOS_CFPOLL		0x00E0
 +#define IEEE80211_STYPE_QOS_CFACKPOLL		0x00F0
 +
 #pragma pack(1)
 struct radio_tap_header
 {
 	uint8_t revision;	
 	uint8_t pad;
 -	uint16_t len;
 -	uint32_t flags;
 -};
 -
 -struct frame_control
 -{
 -        unsigned version : 2;
 -        unsigned type : 2;
 -        unsigned sub_type : 4;
 -
 -        unsigned to_ds : 1;
 -        unsigned from_ds : 1;
 -        unsigned more_frag : 1;
 -        unsigned retry : 1;
 -        unsigned pwr_mgt : 1;
 -        unsigned more_data : 1;
 -        unsigned protected_frame : 1;
 -        unsigned order : 1;
 +	__le16 len;
 +	__le32 flags;
 };
 
 struct dot11_frame_header
 {
 -	struct frame_control fc;
 -        uint16_t duration;
 +	__le16 fc;
 +	__le16 duration;
 	unsigned char addr1[MAC_ADDR_LEN];
 	unsigned char addr2[MAC_ADDR_LEN];
 	unsigned char addr3[MAC_ADDR_LEN];
 -	uint16_t frag_seq;
 +	__le16 frag_seq;
 };
 
 struct authentication_management_frame
 {
 -	uint16_t algorithm;
 -	uint16_t sequence;
 -	uint16_t status;
 +	__le16 algorithm;
 +	__le16 sequence;
 +	__le16 status;
 };
 
 struct association_request_management_frame
 {
 -	uint16_t capability;
 -	uint16_t listen_interval;
 +	__le16 capability;
 +	__le16 listen_interval;
 };
 
 struct association_response_management_frame
 {
 -	uint16_t capability;
 -	uint16_t status;
 -	uint16_t id;
 +	__le16 capability;
 +	__le16 status;
 +	__le16 id;
 };
 
 struct beacon_management_frame
 {
 	unsigned char timestamp[TIMESTAMP_LEN];
 -	uint16_t beacon_interval;
 -	uint16_t capability;
 +	__le16 beacon_interval;
 +	__le16 capability;
 };
 
 struct llc_header
@@ -350,7 +396,7 @@ struct llc_header
 	uint8_t ssap;
 	uint8_t control_field;
 	unsigned char org_code[3];
 -	uint16_t type;
 +	__be16 type;
 };
 
 struct dot1X_header
@@ -371,7 +417,7 @@ struct eap_header
 struct wfa_expanded_header
 {
 	unsigned char id[3];
 -	uint32_t type;
 +	__be32 type;
 	uint8_t opcode;
 	uint8_t flags;
 };
 diff --git a/src/exchange.c b/src/exchange.c
 index 23c87e9..4f9a82b 100644
 --- a/src/exchange.c
 +++ b/src/exchange.c
@@ -306,26 +306,27 @@ enum wps_type process_packet(const u_char *packet, struct pcap_pkthdr *header)
 
 	/* Cast the radio tap and 802.11 frame headers and parse out the Frame Control field */
 	rt_header = (struct radio_tap_header *) packet;
 -	frame_header = (struct dot11_frame_header *) (packet+rt_header->len);
 +	size_t rt_header_len = __le16_to_cpu(rt_header->len);
 +	frame_header = (struct dot11_frame_header *) (packet+rt_header_len);
 
 	/* Does the BSSID/source address match our target BSSID? */
 	if(memcmp(frame_header->addr3, get_bssid(), MAC_ADDR_LEN) == 0)
 	{
 		/* Is this a data packet sent to our MAC address? */
 -		if(frame_header->fc.type == DATA_FRAME && 
 -			frame_header->fc.sub_type == SUBTYPE_DATA && 
 -			(memcmp(frame_header->addr1, get_mac(), MAC_ADDR_LEN) == 0)) 
 +		if (((frame_header->fc & __cpu_to_le16(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE)) ==
 +		     __cpu_to_le16(IEEE80211_FTYPE_DATA | IEEE80211_STYPE_DATA)) &&
 +		    (memcmp(frame_header->addr1, get_mac(), MAC_ADDR_LEN) == 0)) 
 		{
 			llc = (struct llc_header *) (packet +
 -							rt_header->len +
 +							rt_header_len +
 							sizeof(struct dot11_frame_header)
 			);
 
 			/* All packets in our exchanges will be 802.1x */
 -			if(llc->type == DOT1X_AUTHENTICATION)
 +			if(llc->type == __cpu_to_be16(DOT1X_AUTHENTICATION))
 			{
 				dot1x = (struct dot1X_header *) (packet +
 -								rt_header->len +
 +								rt_header_len +
 								sizeof(struct dot11_frame_header) +
 								sizeof(struct llc_header)
 				);
@@ -334,7 +335,7 @@ enum wps_type process_packet(const u_char *packet, struct pcap_pkthdr *header)
 				if(dot1x->type == DOT1X_EAP_PACKET && (header->len >= EAP_PACKET_SIZE))
 				{
 					eap = (struct eap_header *) (packet +
 -									rt_header->len +
 +									rt_header_len +
 									sizeof(struct dot11_frame_header) +
 									sizeof(struct llc_header) +
 									sizeof(struct dot1X_header)
@@ -366,7 +367,7 @@ enum wps_type process_packet(const u_char *packet, struct pcap_pkthdr *header)
 						else if((eap->type == EAP_EXPANDED) && (header->len > WFA_PACKET_SIZE))
 						{
 							wfa = (struct wfa_expanded_header *) (packet +
 -											rt_header->len +
 +											rt_header_len +
 											sizeof(struct dot11_frame_header) +
 											sizeof(struct llc_header) +
 											sizeof(struct dot1X_header) +
@@ -374,14 +375,14 @@ enum wps_type process_packet(const u_char *packet, struct pcap_pkthdr *header)
 							);
 						
 							/* Verify that this is a WPS message */
 -							if(wfa->type == SIMPLE_CONFIG)
 +							if(wfa->type == __cpu_to_be32(SIMPLE_CONFIG))
 							{
 								wps_msg_len = 	(size_t) ntohs(eap->len) - 
 										sizeof(struct eap_header) - 
 										sizeof(struct wfa_expanded_header);
 
 								wps_msg = (const void *) (packet +
 -											rt_header->len +
 +											rt_header_len +
                                                                        	                sizeof(struct dot11_frame_header) +
                                                                                	        sizeof(struct llc_header) +
                                                                                        	sizeof(struct dot1X_header) +
 diff --git a/src/wpsmon.c b/src/wpsmon.c
 index d976924..22a394f 100644
 --- a/src/wpsmon.c
 +++ b/src/wpsmon.c
@@ -295,7 +295,8 @@ void parse_wps_settings(const u_char *packet, struct pcap_pkthdr *header, char *
         }
 
 	rt_header = (struct radio_tap_header *) radio_header(packet, header->len);
 -	frame_header = (struct dot11_frame_header *) (packet + rt_header->len);
 +	size_t rt_header_len = __le16_to_cpu(rt_header->len);
 +	frame_header = (struct dot11_frame_header *) (packet + rt_header_len);
 
 	/* If a specific BSSID was specified, only parse packets from that BSSID */
 	if(!is_target(frame_header))
@@ -323,15 +324,17 @@ void parse_wps_settings(const u_char *packet, struct pcap_pkthdr *header, char *
 				channel_changed = 1;
 			}
 
 -			if(frame_header->fc.sub_type == PROBE_RESPONSE ||
 -                                   frame_header->fc.sub_type == SUBTYPE_BEACON)
 +			unsigned fsub_type = frame_header->fc & __cpu_to_le16(IEEE80211_FCTL_STYPE);
 +
 +			if(fsub_type == __cpu_to_le16(IEEE80211_STYPE_PROBE_RESP) ||
 +			   fsub_type == __cpu_to_le16(IEEE80211_STYPE_BEACON))
 			{
 				wps_parsed = parse_wps_parameters(packet, header->len, wps);
 			}
 	
 			if(!is_done(bssid) && (get_channel() == channel || source == PCAP_FILE))
 			{
 -				if(frame_header->fc.sub_type == SUBTYPE_BEACON && 
 +				if(fsub_type == __cpu_to_le16(IEEE80211_STYPE_BEACON) && 
 				   mode == SCAN && 
 				   !passive && 
 				   should_probe(bssid))
@@ -369,7 +372,7 @@ void parse_wps_settings(const u_char *packet, struct pcap_pkthdr *header, char *
 				 * If there was no WPS information, then the AP does not support WPS and we should ignore it from here on.
 				 * If this was a probe response, then we've gotten all WPS info we can get from this AP and should ignore it from here on.
 				 */
 -				if(!wps_parsed || frame_header->fc.sub_type == PROBE_RESPONSE)
 +				if(!wps_parsed || fsub_type == __cpu_to_le16(IEEE80211_STYPE_PROBE_RESP))
 				{
 					mark_ap_complete(bssid);
 				}
 -- 
 1.7.7

--- a/net/reaver/patches/0002-Use-the-current-directory-for-storing-and-loading-se.patch
+++ b/net/reaver/patches/0002-Use-the-current-directory-for-storing-and-loading-se.patch
@ -1,53 +0,0 @@
 From cd444949f3176790101b8bdc9656831a03d8c01d Mon Sep 17 00:00:00 2001
 From: Paul Fertser <fercerpav@gmail.com>
 Date: Tue, 10 Jul 2012 11:13:29 +0400
 Subject: [PATCH 2/3] Use the current directory for storing and loading
 sessions

 This allows the user to always explicitely choose (by changing the
 current directory before launching the program) where the session
 files should go. Useful e.g. to avoid hogging the precious space on
 embedded devices, just cd /tmp before starting the app.

 Signed-off-by: Paul Fertser <fercerpav@gmail.com>
 ---
 src/session.c |   16 +++-------------
 1 files changed, 3 insertions(+), 13 deletions(-)

 diff --git a/src/session.c b/src/session.c
 index d3af0c3..308f213 100644
 --- a/src/session.c
 +++ b/src/session.c
@@ -62,7 +62,7 @@ int restore_session()
 		memset(file, 0, FILENAME_MAX);
 
 		bssid = mac2str(get_bssid(), '\0');
 -		snprintf(file, FILENAME_MAX, "%s/%s.%s", CONF_DIR, bssid, CONF_EXT);
 +		snprintf(file, FILENAME_MAX, "%s.%s", bssid, CONF_EXT);
 		free(bssid);
 	}
 
@@ -199,18 +199,8 @@ int save_session()
 		}
 		else
 		{	
 -			/* 
 -			 * If the configuration directory exists, save the session file there; else, save it to the 
 -			 * current working directory.
 -			 */
 -			if(configuration_directory_exists())
 -			{
 -        			snprintf((char *) &file_name, FILENAME_MAX, "%s/%s.%s", CONF_DIR, bssid, CONF_EXT);
 -			}
 -			else
 -			{
 -				snprintf((char *) &file_name, FILENAME_MAX, "%s.%s", bssid, CONF_EXT);
 -			}
 +			/* save session to the current directory */
 +			snprintf((char *) &file_name, FILENAME_MAX, "%s.%s", bssid, CONF_EXT);
 		}
 
 		/* Don't bother saving anything if nothing has been done */
 -- 
 1.7.7

--- a/net/reaver/patches/0003-wash-wpsmon-use-less-useless-spaces-in-output-to-fit.patch
+++ b/net/reaver/patches/0003-wash-wpsmon-use-less-useless-spaces-in-output-to-fit.patch
@ -1,38 +0,0 @@
 From 638bb8d70d6c7e5dc99975e0bf57d8ce0455e2cc Mon Sep 17 00:00:00 2001
 From: Paul Fertser <fercerpav@gmail.com>
 Date: Tue, 10 Jul 2012 11:25:00 +0400
 Subject: [PATCH 3/3] wash/wpsmon: use less useless spaces in output to fit
 narrow terminals

 Signed-off-by: Paul Fertser <fercerpav@gmail.com>
 ---
 src/wpsmon.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

 diff --git a/src/wpsmon.c b/src/wpsmon.c
 index 22a394f..e0948b3 100644
 --- a/src/wpsmon.c
 +++ b/src/wpsmon.c
@@ -262,8 +262,8 @@ void monitor(char *bssid, int passive, int source, int channel, int mode)
 
 	if(!header_printed)
 	{
 -		cprintf(INFO, "BSSID                  Channel       RSSI       WPS Version       WPS Locked        ESSID\n");
 -		cprintf(INFO, "---------------------------------------------------------------------------------------------------------------\n");
 +		cprintf(INFO, "BSSID              Channel  RSSI  WPS Version  WPS Locked  ESSID\n");
 +		cprintf(INFO, "--------------------------------------------------------------------------------------\n");
 		header_printed = 1;
 	}
 
@@ -360,7 +360,7 @@ void parse_wps_settings(const u_char *packet, struct pcap_pkthdr *header, char *
 							break;
 					}
 
 -					cprintf(INFO, "%17s      %2d            %.2d        %d.%d               %s               %s\n", bssid, channel, rssi, (wps->version >> 4), (wps->version & 0x0F), lock_display, ssid);
 +					cprintf(INFO, "%17s    %2d       %.2d   %d.%d          %s         %s\n", bssid, channel, rssi, (wps->version >> 4), (wps->version & 0x0F), lock_display, ssid);
 				}
 
 				if(probe_sent)
 -- 
 1.7.7

--- a/net/reaver/patches/0004-Fixed-probe-request-bug-in-wash.patch
+++ b/net/reaver/patches/0004-Fixed-probe-request-bug-in-wash.patch
@ -1,46 +0,0 @@
 From a8edcc1ce2a55e0e02ee13c46c6a5f22dd7920e9 Mon Sep 17 00:00:00 2001
 From: "cheffner@tacnetsol.com"
 <cheffner@tacnetsol.com@027a3e96-2d37-f1c0-85d6-5ce5a08386c2>
 Date: Tue, 27 Mar 2012 16:25:10 +0000
 Subject: [PATCH] Fixed probe request bug in wash.

 git-svn-id: http://reaver-wps.googlecode.com/svn/trunk@113 027a3e96-2d37-f1c0-85d6-5ce5a08386c2
 ---
 src/wpsmon.c | 7 +++++++
 1 file changed, 7 insertions(+)

 diff --git a/src/wpsmon.c b/src/wpsmon.c
 index da688b9..d976924 100644
 --- a/src/wpsmon.c
 +++ b/src/wpsmon.c
@@ -132,6 +132,11 @@ int main(int argc, char *argv[])
 		usage(argv[0]);
 		goto end;
 	}
 +	else if(get_iface())
 +	{
 +		/* Get the MAC address of the specified interface */
 +		read_iface_mac();
 +	}
 
 	if(get_iface() && source == PCAP_FILE)
 	{
@@ -300,6 +305,7 @@ void parse_wps_settings(const u_char *packet, struct pcap_pkthdr *header, char *
 
 	set_ssid(NULL);
 	bssid = (char *) mac2str(frame_header->addr3, ':');
 +	set_bssid((unsigned char *) frame_header->addr3);
 
 	if(bssid)
 	{
@@ -383,6 +389,7 @@ void parse_wps_settings(const u_char *packet, struct pcap_pkthdr *header, char *
 
 end:
 	if(wps) free(wps);
 +	set_bssid((unsigned char *) NULL_MAC);
 
 	return;
 }
 -- 
 2.6.4

--- a/net/reaver/patches/0100-Include-sys-types.h-for-definition-of-u_char.patch
+++ b/net/reaver/patches/0100-Include-sys-types.h-for-definition-of-u_char.patch
@ -1,27 +0,0 @@
 From 811f5c0b0a226edfbf5aa2f316e083f30ec3cd8d Mon Sep 17 00:00:00 2001
 From: Yousong Zhou <yszhou4tech@gmail.com>
 Date: Tue, 18 Aug 2015 14:34:26 +0800
 Subject: [PATCH] Include <sys/types.h> for definition of u_char.

 Fixes build with musl-libc.

 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
 ---
 src/libwps/libwps.h |    1 +
 1 file changed, 1 insertion(+)

 diff --git a/src/libwps/libwps.h b/src/libwps/libwps.h
 index b04dd8b..bdd7b9a 100755
 --- a/src/libwps/libwps.h
 +++ b/src/libwps/libwps.h
@@ -17,6 +17,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <arpa/inet.h>
 +#include <sys/types.h>
 
 #define LIBWPS_MAX_STR_LEN 256
 
 -- 
 1.7.10.4

--- a/net/reaver/patches/0101-pcap-use-65536-as-snaplen.patch
+++ b/net/reaver/patches/0101-pcap-use-65536-as-snaplen.patch
@ -1,11 +0,0 @@
 --- a/src/init.c.orig	2016-12-08 13:23:17.386891467 +0800
 +++ b/src/init.c	2016-12-08 13:23:20.850892551 +0800
@@ -121,7 +121,7 @@ pcap_t *capture_init(char *capture_sourc
 	pcap_t *handle = NULL;
 	char errbuf[PCAP_ERRBUF_SIZE] = { 0 };
 	
 -	handle = pcap_open_live(capture_source, BUFSIZ, 1, 0, errbuf);
 +	handle = pcap_open_live(capture_source, 65536, 1, 0, errbuf);
 	if(!handle)
 	{
 		handle = pcap_open_offline(capture_source, errbuf);
--- a/net/reaver/patches/0102-wps-cflags.patch
+++ b/net/reaver/patches/0102-wps-cflags.patch
@ -1,45 +0,0 @@
 Index: reaver-1.4/src/wps/Makefile
 ===================================================================
 --- reaver-1.4.orig/src/wps/Makefile
 +++ reaver-1.4/src/wps/Makefile
@@ -4,31 +4,31 @@ INC=-I../utils -I ../
 all: wps_attr_build.o wps_attr_parse.o wps_attr_process.o wps.o wps_common.o wps_dev_attr.o wps_enrollee.o wps_registrar.o wps_ufd.o
 
 wps_attr_build.o:
 -	$(CC) $(INC) wps_attr_build.c -c
 +	$(CC) $(CFLAGS) $(INC) wps_attr_build.c -c
 
 wps_attr_parse.o:
 -	$(CC) $(INC) wps_attr_parse.c -c
 +	$(CC) $(CFLAGS) $(INC) wps_attr_parse.c -c
 
 wps_attr_process.o:
 -	$(CC) $(INC) wps_attr_process.c -c
 +	$(CC) $(CFLAGS) $(INC) wps_attr_process.c -c
 
 wps.o:
 -	$(CC) $(INC) wps.c -c
 +	$(CC) $(CFLAGS) $(INC) wps.c -c
 
 wps_common.o:
 -	$(CC) $(INC) wps_common.c -c
 +	$(CC) $(CFLAGS) $(INC) wps_common.c -c
 
 wps_dev_attr.o:
 -	$(CC) $(INC) wps_dev_attr.c -c
 +	$(CC) $(CFLAGS) $(INC) wps_dev_attr.c -c
 
 wps_enrollee.o:
 -	$(CC) $(INC) wps_enrollee.c -c
 +	$(CC) $(CFLAGS) $(INC) wps_enrollee.c -c
 
 wps_registrar.o:
 -	$(CC) $(INC) wps_registrar.c -c
 +	$(CC) $(CFLAGS) $(INC) wps_registrar.c -c
 
 wps_ufd.o:
 -	$(CC) $(INC) wps_ufd.c -c
 +	$(CC) $(CFLAGS) $(INC) wps_ufd.c -c
 
 clean:
 	rm -f *.o