wpasupplicant 0.6.4 segfault with wext

Jouni Malinen j at w1.fi
Tue Aug 26 11:31:44 EDT 2008


On Tue, Aug 26, 2008 at 04:17:13PM +0200, Reinhard Tartler wrote:

> I have received a bugreport from a debian user that experiences a
> segfault using wext. Could you please have a look at the attached
> backtrace? Does anyone have a clue what's going on here?

Based on the backtrace, it looks like os_free(data.ie) call in
wpa_driver_wext_get_scan_results() is either causing a double free or
the pointer is pointing to an invalid address. I don't see how this
would be double free, so my assumption would be that something got
corrupted in the scan data structures when parsing the odd data from
WEXT. I'm not yet sure what exactly caused that corruption, though.

data.ie seems to be set to something that could be a valid pointer
(0x8881d78), but data.ie_len is zero which is somewhat confusing.. I
don't see a clear code path that would result in this.

> It seems to be some problem with the 32bit ioctls. However,
> wpasupplicant should segfault in anycase, even with ioctl interface, no?

The invalid data is indeed most likely due to 64/32-bit issue, but yes,
wpa_supplicant should not segfault even with such invalid data.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list