wpa_supplicant segfault in large WLAN

Ben Greear greearb at candelatech.com
Thu Sep 26 13:54:57 EDT 2013


On 09/26/2013 09:13 AM, Matt Causey wrote:
> On Wed, Sep 25, 2013 at 6:58 PM, Ben Greear <greearb at candelatech.com <mailto:greearb at candelatech.com>> wrote:
>
>     On 09/25/2013 03:51 PM, Matt Causey wrote:
>
>         Hello,
>
>         We run wpa_supplicant on embedded machines and have today noticed that the supplicant dies with segmentation fault.  We are seeing sporadic timeouts
>         from the
>         infrastructure as well, which may or may not be related.  The only change on our side is that we installed in a very dense RF environment with a large
>         number of
>         BSSIDs.  Are there any details pertaining to BSSID count or beacon count that could cause a segmentation fault?  I'll start looking in the code but
>         wanted to
>         ask first so that hopefully someone can point me in a more useful direction.  :-)
>
>         Here is a log snippet.  It's got to be abbreviated because in some cases we have over 988 BSSIDs visible from the client:
>
>
>     Can you get a core dump and backtrace (and maybe more info from gdb once
>     we see the backtrace?)
>
>
> OK so I did get some info.  It might appear that there is some new Information Element in the beacons in this RF environment that's causing the segfault.  Not sure:
>
> sudo gdb wpa_supplicant
> GNU gdb 6.8
> Copyright (C) 2008 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "i686-pc-linux-gnu"...
> (gdb) run -s -t -Dnl80211 -onl80211 -ddd -i wlan0 -c /var/tmp/nerf.conf
> Starting program: /usr/local/sbin/wpa_supplicant -s -t -Dnl80211 -onl80211 -ddd -i wlan0 -c /var/tmp/nerf.conf
> [Thread debugging using libthread_db enabled]
> 1380211578.212081: ssid - hexdump_ascii(len=7):
>       61 73 69 6e 32 38 32                              asin282
> 1380211578.212199: bgscan - hexdump_ascii(len=19):
>       73 69 6d 70 6c 65 3a 36 30 30 3a 2d 36 36 3a 31   simple:600:-66:1
>       32 30 30                                          200
> [removed]
> 1380211578.212699: private_key_passwd - hexdump_ascii(len=29): [REMOVED]
> 1380211578.335831: nl80211: Scan SSID - hexdump_ascii(len=0): [NULL]
>
> 1380211587.924526:   * SSID - hexdump_ascii(len=7):
>       61 73 69 6e 32 38 32                              asin282
> 1380211588.042745: nl80211: Scan SSID - hexdump_ascii(len=0): [NULL]
> 1380211589.147182:   * SSID - hexdump_ascii(len=7):
>       61 73 69 6e 32 38 32                              asin282
>
> 1380211589.247747: nl80211: Scan SSID - hexdump_ascii(len=0): [NULL]
> 1380211590.105423:   * SSID - hexdump_ascii(len=7):
>       61 73 69 6e 32 38 32                              asin282
> 1380211590.222784: nl80211: Scan SSID - hexdump_ascii(len=0): [NULL]
> [New Thread 0xb73dc6c0 (LWP 16180)]
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0xb73dc6c0 (LWP 16180)]
> wpa_bss_get_vendor_ie (bss=0x87c0a40, vendor_type=5304833) at bss.c:912
> 912    bss.c: No such file or directory.
>      in bss.c
> (gdb)
> (gdb)
> (gdb)
>
>
> (gdb) bt
> #0  wpa_bss_get_vendor_ie (bss=0x87c0a40, vendor_type=5304833) at bss.c:912
> #1  0x08086de9 in wpas_select_network_from_last_scan (wpa_s=0x876f468) at events.c:645
> #2  0x08087e23 in _wpa_supplicant_event_scan_results (wpa_s=0x876f468, data=0xa) at events.c:1186
> #3  0x08087ed3 in wpa_supplicant_event_scan_results (wpa_s=0x87cf000, data=0x0) at events.c:1269
> #4  0x0808893d in wpa_supplicant_event (ctx=0x876f468, event=EVENT_SCAN_RESULTS, data=0xbffbe438) at events.c:2438
> #5  0x08099371 in send_scan_event (drv=0x876ffb8, aborted=142320980, tb=0xbffbed50) at ../src/drivers/driver_nl80211.c:1679
> #6  0x08099d4b in do_process_drv_event (bss=0x87700ac, cmd=34, tb=0xbffbed50) at ../src/drivers/driver_nl80211.c:2201
> #7  0x0809a4fc in process_global_event (msg=0x87734d0, arg=0x876ff00) at ../src/drivers/driver_nl80211.c:2346
> #8  0xb772c47c in nl_cb_call () from /usr/local/lib/libnl.so.1
> #9  0xb772cb7a in nl_recvmsgs () from /usr/local/lib/libnl.so.1
> #10 0x08055173 in eloop_sock_table_dispatch (table=0x80b8bc8, fds=0x877b2e8) at ../src/utils/eloop.c:393
> #11 0x08055a08 in eloop_run () at ../src/utils/eloop.c:769
> #12 0x0808163e in wpa_supplicant_run (global=0x876f388) at wpa_supplicant.c:3322
> #13 0x0808cc94 in main (argc=Cannot access memory at address 0x87cefff
> ) at main.c:297
> (gdb)
>
>
>   Thoughts?

Post a tarball of your source somewhere and/or show bss.c line 912 and surrounding lines.

Thanks,
Ben

>
> --
> Matt
>
>
>
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>


-- 
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com



More information about the HostAP mailing list