wpa_supplicant segfault in large WLAN

Matt Causey matt.causey at gmail.com
Thu Sep 26 15:15:47 EDT 2013 

On Thu, Sep 26, 2013 at 3:06 PM, Ben Greear <greearb at candelatech.com> wrote:

> On 09/26/2013 12:03 PM, Matt Causey wrote:
>
>> Another detail that may or may not be of interest is that most of these
>> access points are 4x4:3 APs - which may or may not affect what's in the IE
>> on the beacons.
>>
>
> What chipset, if I may ask?  Might want to get some to play with :)


>
>
>      /**
>>       * wpa_bss_get_vendor_ie - Fetch a vendor information element from a
>> BSS entry
>>       * @bss: BSS table entry
>>       * @vendor_type: Vendor type (four octets starting the IE payload)
>>       * Returns: Pointer to the information element (id field) or %NULL
>> if not found
>>       *
>>       * This function returns the first matching information element in
>> the BSS
>>       * entry.
>>       */
>>     const u8 * wpa_bss_get_vendor_ie(const struct wpa_bss *bss, u32
>> vendor_type)
>>     {
>>          const u8 *end, *pos;
>>
>>          pos = (const u8 *) (bss + 1);
>>          end = pos + bss->ie_len;
>>
>>          while (pos + 1 < end) {
>>              if (pos + 2 + pos[1] > end)   <--------  **LINE 912**
>>                  break;
>>
>
> Use gdb to print out *bss, pos, end.
>
> Looks like something is probably walking off the end of the bss info
> I'd guess.
>
>
> Thanks for the hand-holding, Ben - this is a great learning experience for
me.  :-)  here's the data:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb73ae6c0 (LWP 5452)]
wpa_bss_get_vendor_ie (bss=0x8ada590, vendor_type=5304833) at bss.c:912
912    bss.c: No such file or directory.
    in bss.c
(gdb) bt
#0  wpa_bss_get_vendor_ie (bss=0x8ada590, vendor_type=5304833) at bss.c:912
#1  0x08086de9 in wpas_select_network_from_last_scan (wpa_s=0x8a87468) at
events.c:645
#2  0x08087e23 in _wpa_supplicant_event_scan_results (wpa_s=0x8a87468,
data=0xa) at events.c:1186
#3  0x08087ed3 in wpa_supplicant_event_scan_results (wpa_s=0x8ae7000,
data=0x0) at events.c:1269
#4  0x0808893d in wpa_supplicant_event (ctx=0x8a87468,
event=EVENT_SCAN_RESULTS, data=0xbfce7d48) at events.c:2438
#5  0x08099371 in send_scan_event (drv=0x8a87fb8, aborted=145535476,
tb=0xbfce8660) at ../src/drivers/driver_nl80211.c:1679
#6  0x08099d4b in do_process_drv_event (bss=0x8a880ac, cmd=34,
tb=0xbfce8660) at ../src/drivers/driver_nl80211.c:2201
#7  0x0809a4fc in process_global_event (msg=0x8a8b4c8, arg=0x8a87f00) at
../src/drivers/driver_nl80211.c:2346
#8  0xb76fe47c in nl_cb_call () from /usr/local/lib/libnl.so.1
#9  0xb76feb7a in nl_recvmsgs () from /usr/local/lib/libnl.so.1
#10 0x08055173 in eloop_sock_table_dispatch (table=0x80b8bc8,
fds=0x8a932e0) at ../src/utils/eloop.c:393
#11 0x08055a08 in eloop_run () at ../src/utils/eloop.c:769
#12 0x0808163e in wpa_supplicant_run (global=0x8a87388) at
wpa_supplicant.c:3322
#13 0x0808cc94 in main (argc=Cannot access memory at address 0x8ae6fff
) at main.c:297
(gdb) print bss
$1 = (const struct wpa_bss *) 0x8ada590
(gdb) print pos
$2 = (const u8 *) 0x8ae6fff ""
(gdb) print end
$3 = (const u8 *) 0x8b38315 <Address 0x8b38315 out of bounds>
(gdb)

--
Matt



>
>
>
> --
> Ben Greear <greearb at candelatech.com>
> Candela Technologies Inc  http://www.candelatech.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20130926/e7b56b38/attachment.htm>

More information about the HostAP mailing list