wpa_supplicant segfault in large WLAN

Ben Greear greearb at candelatech.com
Thu Sep 26 15:06:09 EDT 2013


On 09/26/2013 12:03 PM, Matt Causey wrote:
> Another detail that may or may not be of interest is that most of these access points are 4x4:3 APs - which may or may not affect what's in the IE on the beacons.

What chipset, if I may ask?  Might want to get some to play with :)


>     /**
>       * wpa_bss_get_vendor_ie - Fetch a vendor information element from a BSS entry
>       * @bss: BSS table entry
>       * @vendor_type: Vendor type (four octets starting the IE payload)
>       * Returns: Pointer to the information element (id field) or %NULL if not found
>       *
>       * This function returns the first matching information element in the BSS
>       * entry.
>       */
>     const u8 * wpa_bss_get_vendor_ie(const struct wpa_bss *bss, u32 vendor_type)
>     {
>          const u8 *end, *pos;
>
>          pos = (const u8 *) (bss + 1);
>          end = pos + bss->ie_len;
>
>          while (pos + 1 < end) {
>              if (pos + 2 + pos[1] > end)   <--------  **LINE 912**
>                  break;

Use gdb to print out *bss, pos, end.

Looks like something is probably walking off the end of the bss info
I'd guess.

Thanks,
Ben


-- 
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com



More information about the HostAP mailing list