wpasupplicant 0.6.4 segfault with wext

Jouni Malinen j at w1.fi
Wed Aug 27 03:05:55 EDT 2008


On Tue, Aug 26, 2008 at 06:31:44PM +0300, Jouni Malinen wrote:

> data.ie seems to be set to something that could be a valid pointer
> (0x8881d78), but data.ie_len is zero which is somewhat confusing.. I
> don't see a clear code path that would result in this.

I received an example raw scan results from the reporter and was able to
reproduce this easily with them. The trigger was interesting glibc
behavior on free(realloc(realloc(NULL, 0), 0)).. The current git version
of wpa_supplicant does not tricker such sequence anymore when parsing
WEXT scan results (even if the results are invalid, which was the only
way of triggering this before). The change to avoid this is in the
following commit:

http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=fd630bc183fb79d0a14b5f3a346544f3d277bd05

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list