hostapd: Segmentation fault when using WPA with nl80211

Jouni Malinen j at w1.fi
Fri Jun 6 09:43:33 EDT 2008


On Thu, Jun 05, 2008 at 10:47:40AM -0400, Dan Williams wrote:
> On Fri, 2008-06-06 at 00:34 +1000, Tim Connolly wrote:
> > >> I have been able to successfully get an open AP going but when trying to use
> > >> WPA I consistently get a segmentation fault during negotiation. This seems to
> > >> be happening when returning from driver_nl80211.c:get_key_handler().

> Any chance you can install libnl symbols and get a better idea of where
> in libnl this is happening?

I was able to reproduce this with a bit different test program
(wpa_supplicant using nl80211 and test code for calling
i802_get_seqnum() from hostapd when setting GTK). Segmentation fault
happens on every call to this function and it does indeed seem to happen
when libnl calls get_key_handler() (NL_CB_CALL(cb, NL_CB_VALID, msg); in
recvmsgs(), lib/nl.c). I can see NL_CB_CALL macro calling nl_cb_call()
and the callback function, get_key_handler(), returning. However,
nl_cb_call() does not return.. valgrind doesn't show very helpful output
for this even when libnl was built with symbols.

==3580== Invalid read of size 4
==3580==    at 0x4067F90: (within /home/jm/libnl/11/lib/libnl.so.1.1)
==3580==    by 0x4072157: nl_recvmsgs (nl.c:842)
==3580==    by 0x809C7AE: wpa_driver_nl80211_set_key (driver_nl80211.c:1678)
	(this is from my test code, not hostapd driver_nl80211.c)
==3580==  Address 0x434 is not stack'd, malloc'd or (recently) free'd


I'm not sure what is happening here, but it looks like get_key_handler()
is corrupting something in the stack. If I test with an empty
get_key_handler() that is just returning NL_SKIP, I do not see the
crash.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list