Double free or corruption with latest GIT tree
Jouni Malinen
j at w1.fi
Sat Jan 2 18:31:04 EST 2010
On Sat, Jan 02, 2010 at 01:11:59AM -0800, Marcel Holtmann wrote:
> and another one. This time when coming back from suspend and trying to
> re-connect. Seems not D-Bus related.
> Program terminated with signal 11, Segmentation fault.
> #0 dl_list_add (list=<value optimized out>, item=<value optimized out>)
> at ../src/utils/list.h:36
> #1 dl_list_add_tail (list=<value optimized out>, item=<value optimized out>)
> at ../src/utils/list.h:42
> #2 wpa_bss_add (list=<value optimized out>, item=<value optimized out>) at bss.c:126
I think I found and fixed this. The BSS table uses two lists and one of
them was improperly not updated when the BSS entry had to be reallocated
and the next time that list was used (either here when adding a new
entry or in the case of removing an older entry like in your earlier
report), freed memory could have been dereferenced as the list pointer..
The reallocation would happen if a scan result would show longer IEs
data for a BSS and realloc() were to change the buffer.
--
Jouni Malinen PGP id EFC895FA
More information about the HostAP
mailing list