wpa_supplicant segfault in large WLAN
j at w1.fi
Thu Sep 26 15:37:51 EDT 2013
On Thu, Sep 26, 2013 at 03:15:47PM -0400, Matt Causey wrote:
> (gdb) print bss
> $1 = (const struct wpa_bss *) 0x8ada590
> (gdb) print pos
> $2 = (const u8 *) 0x8ae6fff ""
> (gdb) print end
> $3 = (const u8 *) 0x8b38315 <Address 0x8b38315 out of bounds>
Lovely. This was indeed corruption somewhere else like I assumed.
bss->ie_len is something in the neighborhood of 375 kB. Things crashed
when reading about 50 kB into it.. ;-) So yes, obviously that ie_len is
not correct. The difficult part is in figuring out when it become
incorrect, though. valgrind could help, but not necessarily.
Jouni Malinen PGP id EFC895FA
More information about the HostAP