Fwd: Segmentation Fault: madwifi and hostapd
Chad Meister
chadlich at yahoo.com
Mon Jan 30 22:24:56 EST 2006
Hi,
I've done some further investigations using gdb.
Looking at the valgrind output, I decided to
investigate the suspicious conditionals. One example
is line 135 in hostap.c:
if ((conf_syslog & module) && level >=
conf_syslog_level)
valgrind output suggests that there is an unitialized
value in this conditional, before it drops into
vsyslog() and seg faults. After further
investigation, I think the uninitialized variable is
the conf_syslog. The value of conf_syslog is based on
the hostapd_config struct's unsigned int logger_syslog
value - a variable used for bitwise operations. The
default value of logger_syslog is an (unsigned int)
-1.
In my setup, this is where I think things go wrong.
When hostapd sets logger_syslog value as a (unsigned
int) -1, the value "4294967295" is assigned. Wrong.
I think this happens with all -1 (unsigned int)
assignments on my machine. When I manually set
conf_syslog to 0 back in gdb, hostapd does not
segfault and descends into the radius code to create
the connection.
So what is going on here? Like I said, my C is a bit
rusty. Since it seems that my compiled hostapd can't
handle unsigned int's, is this an error introduced by
the compiler, rather than the hostapd code?
Any ideas about how I could solve this problem?
Chad
--- Chad Meister <chadlich at yahoo.com> wrote:
> Hi,
>
> Thanks for investigating this. To answer your
> questions, I'm running Debian stable with glibc
> version 2.3.2., on a 32-bit PowerPC (Apple).
>
> Yes, the information I gave originally was from gdb,
> which I'm only vaguely familiar with. Here's
> hopefully the backtrace that you requested:
>
> --------begin backtrace
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0fd9489c in strlen () from /lib/libc.so.6
> (gdb) up
> #1 0x0fd636bc in vfprintf () from /lib/libc.so.6
> (gdb) up
> #2 0x0fdef43c in vsyslog () from /lib/libc.so.6
> (gdb) up
> #3 0x00000000 in ?? ()
> (gdb) up
> #4 0x00000000 in ?? ()
> (gdb) up
> Previous frame identical to this frame (corrupt
> stack?)
> (gdb) bt
> #0 0x0fd9489c in strlen () from /lib/libc.so.6
> #1 0x0fd636bc in vfprintf () from /lib/libc.so.6
> #2 0x0fdef43c in vsyslog () from /lib/libc.so.6
> #3 0x00000000 in ?? ()
> #4 0x00000000 in ?? ()
>
> ---------end bt
>
> If I did this incorrectly, please let me know.
>
> Things get strange when I run hostapd with valgrind
> using the previously posted configuration file.
> Just
> to determine if hostapd is interacting with the
> freeradius daemon, I have radiusd running in a
> separate terminal in debug mode, so that I can watch
> it interact with requests. Normally, when I run
> hostapd (simply from the command line or through
> gdb),
> hostapd does not interact with radiusd. However,
> running hostapd with valgrind, hostapd starts to
> communicate with radiusd, and, if I'm not mistaken,
> it
> makes the connection. Here's the valgrind session:
>
> -----begin valgrind -----
> anima:/home/chadlich# valgrind
> /usr/local/bin/hostapd
> /etc/hostapd/wpaeap
> ==19408== Memcheck, a memory error detector for
> ppc-linux.
> ==19408== Copyright (C) 2002-2005, and GNU GPL'd, by
> Julian Seward et al.
> ==19408== Using valgrind-2.4.1-ppc, a program
> supervision framework for ppc-linux.
> ==19408== Copyright (C) 2000-2005, and GNU GPL'd, by
> Julian Seward et al.
> ==19408== For more details, rerun with: -v
> ==19408==
> Configuration file: /etc/hostapd/wpaeap
> madwifi_set_iface_flags: dev_up=0
> ==19408== Conditional jump or move depends on
> uninitialised value(s)
> ==19408== at 0xFFBB894: memcmp
> (mac_replace_strmem.c:325)
> ==19408== by 0x10004878: hostapd_setup_interface
> (hostapd.c:464)
> ==19408== by 0x10004FD0: main (hostapd.c:808)
> Using interface ath0 with hwaddr 00:0f:cb:b1:bd:eb
> and
> ssid 'ousia'
> ath0: RADIUS Authentication server 127.0.0.1:1812
> ==19408==
> ==19408== Conditional jump or move depends on
> uninitialised value(s)
> ==19408== at 0xFD184BC: vfprintf (in
> /lib/libc-2.3.2.so)
> ==19408== by 0xFDA4438: vsyslog (in
> /lib/libc-2.3.2.so)
> ==19408== by 0x10003A8C: hostapd_logger
> (hostapd.c:155)
> ==19408== by 0x100171E0: radius_change_server
> (radius_client.c:713)
> ==19408== by 0x100174E8: radius_client_init_auth
> (radius_client.c:842)
> ==19408== by 0x10017778: radius_client_init
> (radius_client.c:932)
> ==19408== by 0x10004690: hostapd_setup_interface
> (hostapd.c:478)
> ==19408== by 0x10004FD0: main (hostapd.c:808)
> ==19408==
> ==19408== Conditional jump or move depends on
> uninitialised value(s)
> ==19408== at 0xFD19528: vfprintf (in
> /lib/libc-2.3.2.so)
> ==19408== by 0xFDA4438: vsyslog (in
> /lib/libc-2.3.2.so)
> ==19408== by 0x10003A8C: hostapd_logger
> (hostapd.c:155)
> ==19408== by 0x100171E0: radius_change_server
> (radius_client.c:713)
> ==19408== by 0x100174E8: radius_client_init_auth
> (radius_client.c:842)
> ==19408== by 0x10017778: radius_client_init
> (radius_client.c:932)
> ==19408== by 0x10004690: hostapd_setup_interface
> (hostapd.c:478)
> ==19408== by 0x10004FD0: main (hostapd.c:808)
> ==19408==
> ==19408== Use of uninitialised value of size 4
> ==19408== at 0xFD18FA8: vfprintf (in
> /lib/libc-2.3.2.so)
> ==19408== by 0xFDA4438: vsyslog (in
> /lib/libc-2.3.2.so)
> ==19408== by 0x10003A8C: hostapd_logger
> (hostapd.c:155)
> ==19408== by 0x100171E0: radius_change_server
> (radius_client.c:713)
> ==19408== by 0x100174E8: radius_client_init_auth
> (radius_client.c:842)
> ==19408== by 0x10017778: radius_client_init
> (radius_client.c:932)
> ==19408== by 0x10004690: hostapd_setup_interface
> (hostapd.c:478)
> ==19408== by 0x10004FD0: main (hostapd.c:808)
> ==19408==
> ==19408== Conditional jump or move depends on
> uninitialised value(s)
> ==19408== at 0xFD18FB0: vfprintf (in
> /lib/libc-2.3.2.so)
> ==19408== by 0xFDA4438: vsyslog (in
> /lib/libc-2.3.2.so)
> ==19408== by 0x10003A8C: hostapd_logger
> (hostapd.c:155)
> ==19408== by 0x100171E0: radius_change_server
> (radius_client.c:713)
> ==19408== by 0x100174E8: radius_client_init_auth
> (radius_client.c:842)
> ==19408== by 0x10017778: radius_client_init
> (radius_client.c:932)
> ==19408== by 0x10004690: hostapd_setup_interface
> (hostapd.c:478)
> ==19408== by 0x10004FD0: main (hostapd.c:808)
> ==19408==
> ==19408== Conditional jump or move depends on
> uninitialised value(s)
> ==19408== at 0xFD18C78: vfprintf (in
> /lib/libc-2.3.2.so)
> ==19408== by 0xFDA4438: vsyslog (in
> /lib/libc-2.3.2.so)
> ==19408== by 0x10003A8C: hostapd_logger
> (hostapd.c:155)
> ==19408== by 0x100171E0: radius_change_server
> (radius_client.c:713)
> ==19408== by 0x100174E8: radius_client_init_auth
> (radius_client.c:842)
> ==19408== by 0x10017778: radius_client_init
> (radius_client.c:932)
> ==19408== by 0x10004690: hostapd_setup_interface
> (hostapd.c:478)
> ==19408== by 0x10004FD0: main (hostapd.c:808)
> ==19408==
> ==19408== Conditional jump or move depends on
> uninitialised value(s)
> ==19408== at 0xFD18ADC: vfprintf (in
> /lib/libc-2.3.2.so)
> ==19408== by 0xFDA4438: vsyslog (in
> /lib/libc-2.3.2.so)
> ==19408== by 0x10003A8C: hostapd_logger
> (hostapd.c:155)
> ==19408== by 0x100171E0: radius_change_server
> (radius_client.c:713)
> ==19408== by 0x100174E8: radius_client_init_auth
> (radius_client.c:842)
> ==19408== by 0x10017778: radius_client_init
> (radius_client.c:932)
> ==19408== by 0x10004690: hostapd_setup_interface
> (hostapd.c:478)
> ==19408== by 0x10004FD0: main (hostapd.c:808)
> ath0: RADIUS Accounting server 127.0.0.1:1813
> madwifi_set_ieee8021x: enabled=1
> madwifi_configure_wpa: group key cipher=1
> madwifi_configure_wpa: pairwise key ciphers=0xa
> madwifi_configure_wpa: key management algorithms=0x1
> madwifi_configure_wpa: rsn capabilities=0x0
> madwifi_configure_wpa: enable WPA= 0x1
> madwifi_set_iface_flags: dev_up=1
> madwifi_set_privacy: enabled=1
> ==19408==
> ==19408== Syscall param ioctl(generic) points to
> uninitialised byte(s)
> ==19408== at 0xFD9F8DC: tcgetattr (in
> /lib/libc-2.3.2.so)
> ==19408== by 0xFD9B118: isatty (in
> /lib/libc-2.3.2.so)
> ==19408== by 0xFD2FFC4: _IO_file_doallocate (in
> /lib/libc-2.3.2.so)
> ==19408== by 0xFD3E808: _IO_doallocbuf (in
> /lib/libc-2.3.2.so)
> ==19408== by 0xFD3D954: (within
> /lib/libc-2.3.2.so)
> ==19408== by 0xFD3E9F4: _IO_sgetn (in
> /lib/libc-2.3.2.so)
> ==19408== by 0xFD30F78: fread (in
> /lib/libc-2.3.2.so)
> ==19408== by 0x1000DD64: hostapd_get_rand
> (common.c:52)
> ==19408== by 0x10019508: wpa_init (wpa.c:700)
> ==19408== by 0x10004730: hostapd_setup_interface
> (hostapd.c:507)
> ==19408== by 0x10004FD0: main (hostapd.c:808)
> ==19408== Address 0x349FE110 is on thread 1's stack
> WPA: group state machine entering state GTK_INIT
> GMK - hexdump(len=32): 9e f3 61 a6 09 6e 6a bc d2 80
> c3 56 d5 0b bb d1 a2 3f af e2 6f 11 83 d1 a9 e3 a4
> 5f
> 9a 47 dc 9f
> GTK - hexdump(len=32): 1b 41 eb 57 c2 4b fa f8 3b 65
> 95 e9 f0 ed 02 c1 9d b6 6a 9a 17 f3 29 3f be 73 9c
> 66
> 44 0f 48 3a
> WPA: group state machine entering state SETKEYSDONE
> madwifi_set_key: alg=TKIP addr=00:00:00:00:00:00
> key_idx=1
> RADIUS message: code=4 (Accounting-Request)
> identifier=0 length=69
> Attribute 40 (Acct-Status-Type) length=6
> Value: 7
> Attribute 45 (Acct-Authentic) length=6
> Value: 1
> Attribute 4 (NAS-IP-Address) length=6
> Value: 127.0.0.1
> Attribute 30 (Called-Station-Id) length=25
> Value: '00-0F-CB-B1-BD-EB:ousia'
> Attribute 49 (Acct-Terminate-Cause) length=6
> Value: 11
> Flushing old station entries
> madwifi_sta_deauth: addr=ff:ff:ff:ff:ff:ff
> reason_code=3
> Deauthenticate all stations
> l2_packet_receive - recvfrom: Network is down
> RADIUS message: code=5 (Accounting-Response)
> identifier=0 length=20
> Signal 2 received - terminating
> Flushing old station entries
> madwifi_sta_deauth: addr=ff:ff:ff:ff:ff:ff
> reason_code=3
> Deauthenticate all stations
> RADIUS message: code=4 (Accounting-Request)
> identifier=1 length=69
>
> ------middle of valgrind session ----
>
> Just from the look of things, the problem appears to
> be around lines that read "Conditional jump or move
> depends on uninitialised value(s)" Valgrind seem to
> protect hostapd from completely crashing at these
> instances, enabling hostapd to make the radius
> connection.
>
> Please note that the valgrind process stops at the
> RADIUS message line above. To 'continue' the
> program,
> I press control-C. and get the remaining valgrind
> output:
>
> ----final valgrind output -----
> Attribute 40 (Acct-Status-Type) length=6
> Value: 8
> Attribute 45 (Acct-Authentic) length=6
> Value: 1
> Attribute 4 (NAS-IP-Address) length=6
> Value: 127.0.0.1
> Attribute 30 (Called-Station-Id) length=25
> Value: '00-0F-CB-B1-BD-EB:ousia'
> Attribute 49 (Acct-Terminate-Cause) length=6
> Value: 11
> madwifi_set_privacy: enabled=0
> madwifi_set_ieee8021x: enabled=0
> madwifi_set_iface_flags: dev_up=0
> ==19408==
> ==19408== ERROR SUMMARY: 31 errors from 8 contexts
> (suppressed: 7 from 1)
> ==19408== malloc/free: in use at exit: 0 bytes in 0
> blocks.
> ==19408== malloc/free: 83 allocs, 83 frees, 29024
> bytes allocated.
> ==19408== For counts of detected errors, rerun with:
> -v
> ==19408== No malloc'd blocks -- no leaks are
> possible.
>
> ---end of valgrind output.
>
> So what do you think after all this info? Any
> ideas?
> Let me know if I need to run some further tests.
>
> Thanks for your help,
>
> Chad
>
>
> --- Jouni Malinen <jkmaline at cc.hut.fi> wrote:
>
> > On Sat, Jan 28, 2006 at 02:51:49PM -0800, Chad
> > Meister wrote:
> >
> > > After further investigation, I found that
> hostapd
> > Seg
> > > faults at line 135 on of hostapd.c. The line
> > > presumabably enters a log message and reads:
> > > vsyslog(priority, format, ap). In this case:
> > > priority = 6
> > > format = 0x1004fdd8 "ath0: RADIUS %s server
> %s:%d"
> > > ap = {{gpr = 8 '\b', fpr = 0 '\0',
> > overflow_arg_area =
> > > 0x7f8002e8, reg_save_area = 0x7f800230}}
> > >
> > > It then descends into libc.so.6 and gdb gives me
> > the
> > > following lines:
> > > Program received signal SIGSEGV, Segmentation
> > fault.
> > > 0x0fd9489c in strlen () from /lib/libc.so.6
> >
> > This sounds somewhat similar to an earlier report
> > where C library code
> > was causing a segmentation fault when called from
> > hostapd_logger(). I
> > have not been able to reproduce this and I don't
> > know what could be
> > going wrong here.
> >
> > Which Linux distribution and which glibc version
> are
> > you using? Could
> > you please try running hostapd under valgrind? I'm
> > assuming the data
> > above is from gdb. Could you send full backtrace
> > ('bt') and then
> > function parameters by running 'up' couple of
> times?
> >
> > --
> > Jouni Malinen
>
> > PGP id EFC895FA
> > _______________________________________________
> > HostAP mailing list
> > HostAP at shmoo.com
> > http://lists.shmoo.com/mailman/listinfo/hostap
> >
>
>
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the HostAP
mailing list