[PATCH] p2p: fix rogue pointer access

Jouni Malinen j at w1.fi
Thu Oct 20 13:38:18 EDT 2011


On Wed, Oct 19, 2011 at 02:58:26PM -0700, Reinette Chatre wrote:
> The symptom I see is when I request a P2P Find then there is sometimes a
> crash that results from the wpa_s->off_channel_freq being something very
> wrong and it is used in stop_listen which is called in p2p_find before
> anything else is run. In stop_listen code is thus run that shouldn't and
> that causes problems. What I have found is that this strange value is a
> result of wpa_s not pointing to the current interface information, which
> prompted this patch.

Would you be able to send a wpa_supplicant debug log showing this?

> I do not have any changes to wpa_supplicant apart from this patch. I
> request a P2P Find via D-Bus and then sometimes see this issue. What I
> noticed was that when this occurs the logs contain information that,
> from the time wpa_supplicant started, the interface was recreated (and
> shows up with a different D-Bus id) ... I just assumed it happens after
> resume from suspend.

Depending on the system configuration and distro scripts etc., the
netdev can indeed go away on suspend and then return on resume. However,
the wpa_s instance should still remain the same.. For the wpa_s pointer
to become invalid (and I would assume, for D-Bus id to change),
something would actually need to request the wpa_s instance to be
removed and then restored.. Could you please send a wpa_supplicant debug
log showing a suspend + resume on this system (no need to hit that P2P
issue; I just want to see what exactly happens to the interface during
suspend).

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list