wpa_supplicant segfault in large WLAN

Matt Causey matt.causey at gmail.com
Thu Sep 26 12:13:46 EDT 2013


On Wed, Sep 25, 2013 at 6:58 PM, Ben Greear <greearb at candelatech.com> wrote:

> On 09/25/2013 03:51 PM, Matt Causey wrote:
>
>> Hello,
>>
>> We run wpa_supplicant on embedded machines and have today noticed that
>> the supplicant dies with segmentation fault.  We are seeing sporadic
>> timeouts from the
>> infrastructure as well, which may or may not be related.  The only change
>> on our side is that we installed in a very dense RF environment with a
>> large number of
>> BSSIDs.  Are there any details pertaining to BSSID count or beacon count
>> that could cause a segmentation fault?  I'll start looking in the code but
>> wanted to
>> ask first so that hopefully someone can point me in a more useful
>> direction.  :-)
>>
>> Here is a log snippet.  It's got to be abbreviated because in some cases
>> we have over 988 BSSIDs visible from the client:
>>
>
> Can you get a core dump and backtrace (and maybe more info from gdb once
> we see the backtrace?)
>

OK so I did get some info.  It might appear that there is some new
Information Element in the beacons in this RF environment that's causing
the segfault.  Not sure:

sudo gdb wpa_supplicant
GNU gdb 6.8
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html
>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
(gdb) run -s -t -Dnl80211 -onl80211 -ddd -i wlan0 -c /var/tmp/nerf.conf
Starting program: /usr/local/sbin/wpa_supplicant -s -t -Dnl80211 -onl80211
-ddd -i wlan0 -c /var/tmp/nerf.conf
[Thread debugging using libthread_db enabled]
1380211578.212081: ssid - hexdump_ascii(len=7):
     61 73 69 6e 32 38 32                              asin282
1380211578.212199: bgscan - hexdump_ascii(len=19):
     73 69 6d 70 6c 65 3a 36 30 30 3a 2d 36 36 3a 31   simple:600:-66:1
     32 30 30                                          200
[removed]
1380211578.212699: private_key_passwd - hexdump_ascii(len=29): [REMOVED]
1380211578.335831: nl80211: Scan SSID - hexdump_ascii(len=0): [NULL]

1380211587.924526:   * SSID - hexdump_ascii(len=7):
     61 73 69 6e 32 38 32                              asin282
1380211588.042745: nl80211: Scan SSID - hexdump_ascii(len=0): [NULL]
1380211589.147182:   * SSID - hexdump_ascii(len=7):
     61 73 69 6e 32 38 32                              asin282

1380211589.247747: nl80211: Scan SSID - hexdump_ascii(len=0): [NULL]
1380211590.105423:   * SSID - hexdump_ascii(len=7):
     61 73 69 6e 32 38 32                              asin282
1380211590.222784: nl80211: Scan SSID - hexdump_ascii(len=0): [NULL]
[New Thread 0xb73dc6c0 (LWP 16180)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb73dc6c0 (LWP 16180)]
wpa_bss_get_vendor_ie (bss=0x87c0a40, vendor_type=5304833) at bss.c:912
912    bss.c: No such file or directory.
    in bss.c
(gdb)
(gdb)
(gdb)


(gdb) bt
#0  wpa_bss_get_vendor_ie (bss=0x87c0a40, vendor_type=5304833) at bss.c:912
#1  0x08086de9 in wpas_select_network_from_last_scan (wpa_s=0x876f468) at
events.c:645
#2  0x08087e23 in _wpa_supplicant_event_scan_results (wpa_s=0x876f468,
data=0xa) at events.c:1186
#3  0x08087ed3 in wpa_supplicant_event_scan_results (wpa_s=0x87cf000,
data=0x0) at events.c:1269
#4  0x0808893d in wpa_supplicant_event (ctx=0x876f468,
event=EVENT_SCAN_RESULTS, data=0xbffbe438) at events.c:2438
#5  0x08099371 in send_scan_event (drv=0x876ffb8, aborted=142320980,
tb=0xbffbed50) at ../src/drivers/driver_nl80211.c:1679
#6  0x08099d4b in do_process_drv_event (bss=0x87700ac, cmd=34,
tb=0xbffbed50) at ../src/drivers/driver_nl80211.c:2201
#7  0x0809a4fc in process_global_event (msg=0x87734d0, arg=0x876ff00) at
../src/drivers/driver_nl80211.c:2346
#8  0xb772c47c in nl_cb_call () from /usr/local/lib/libnl.so.1
#9  0xb772cb7a in nl_recvmsgs () from /usr/local/lib/libnl.so.1
#10 0x08055173 in eloop_sock_table_dispatch (table=0x80b8bc8,
fds=0x877b2e8) at ../src/utils/eloop.c:393
#11 0x08055a08 in eloop_run () at ../src/utils/eloop.c:769
#12 0x0808163e in wpa_supplicant_run (global=0x876f388) at
wpa_supplicant.c:3322
#13 0x0808cc94 in main (argc=Cannot access memory at address 0x87cefff
) at main.c:297
(gdb)


 Thoughts?

--
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20130926/bf12b871/attachment.htm>


More information about the HostAP mailing list