wpa_supplicant segfault in large WLAN
Matt Causey
matt.causey at gmail.com
Thu Sep 26 17:19:20 EDT 2013
On Thu, Sep 26, 2013 at 4:29 PM, Jouni Malinen <j at w1.fi> wrote:
> On Thu, Sep 26, 2013 at 03:40:30PM -0400, Matt Causey wrote:
> > (gdb) print *bss
> > $8 = {list = {next = 0x1ac0f00, prev = 0x964000}, list_id = {next =
> > 0x163d0028, prev = 0x40895}, id = 0, scan_miss_count = 0,
> > last_update_idx = 0, flags = 0, bssid = "\000\000\177\004\000\020",
> > hessid = "\000\000\205\036\000",
> > ssid =
> > "\217\000\017\000?\003Y\000OAK3-IDF16-NN6-\000\000\000\000?\226\006\000@
> ",
> > ssid_len = 721046, freq = 1342183645, beacon_int = 754,
> > caps = 257, qual = -1543307136, noise = -1540947968, level =
> 1128398848,
> > tsf = 494551736790417502, last_update = {sec = 26624000,
> > usec = 98370561}, anqp = 0x3964000, ie_len = 384261, beacon_ie_len =
> > 151754304}
>
> This has clearly been overwritten with something and based on those
> values, I'd assume that this something has been other frames. For
> example, ie_len = 384261 = 0x05DD05 which looks like a very possible IE
> contents in a scan result.. As do the other values like 151754304 =
> 0x90B9640 and 98370561 = 0x05DD0401.
>
> Either the pointer is invalid (e.g., pointing to previously freed
> memory that happened to include another BSS entry, but with a bit
> different offsets) or another frame update ended up going over a full
> BSS entry. I'm hoping on valgrind being helpful here.
>
>
So perhaps I'm revealing my ignorance here, but I cannot repro this
segfault under valgrind:
sudo valgrind wpa_supplicant -t -Dnl80211 -onl80211 -dddd -i wlan0 -c
/var/tmp/nerf.conf
Is there something I'm missing here?
--
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20130926/56541213/attachment.htm>
More information about the HostAP
mailing list