wpa_supplicant segfault in large WLAN

Jouni Malinen j at w1.fi
Thu Sep 26 15:19:02 EDT 2013


On Thu, Sep 26, 2013 at 02:45:55PM -0400, Matt Causey wrote:
> >> sudo gdb wpa_supplicant
> >> Program received signal SIGSEGV, Segmentation fault.
> >> [Switching to Thread 0xb73dc6c0 (LWP 16180)]
> >> wpa_bss_get_vendor_ie (bss=0x87c0a40, vendor_type=5304833) at bss.c:912

> Referencing wpa_supplicant-2.0, which we're using unmodified, here's the
> function:

> const u8 * wpa_bss_get_vendor_ie(const struct wpa_bss *bss, u32 vendor_type)
> {
>     const u8 *end, *pos;
> 
>     pos = (const u8 *) (bss + 1);
>     end = pos + bss->ie_len;
> 
>     while (pos + 1 < end) {
>         if (pos + 2 + pos[1] > end)   <--------  **LINE 912**
>             break;

Interesting.. I cannot find an issue here, so I'd assume the BSS entry
got somehow corrupted and this just happens to be the first place where
that corruption trigger a clearly visible error.

Would you be able to run wpa_supplicant under valgrind (sudo valgrind
./wpa_supplicant ...)? It could make it easier to find where the
corruption really happens for the first time.

It could also be useful to print bss->ie_len in that
wpa_bss_get_vendor_ie() function.

Alternatively or in addition to that, I'd be interested in seeing a full
wpa_supplicant debug log from start to the segfault point with as much
verbosity as possible (i.e., -ddd on command line). This will be large,
but it will include all the IE buffers from scan results, so it should
give pretty clear sign if something is really going wrong in parsing the
information. If you can send this, feel free to just email it directly
to me (compressed version preferred taken into account how large this
is likely to be) since the mailing list is not going to accept that long
a file.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list