wpa_supplicant segfault in large WLAN

Ben Greear greearb at candelatech.com
Thu Sep 26 17:22:24 EDT 2013 

On 09/26/2013 02:19 PM, Matt Causey wrote:
> On Thu, Sep 26, 2013 at 4:29 PM, Jouni Malinen <j at w1.fi <mailto:j at w1.fi>> wrote:
>
>     On Thu, Sep 26, 2013 at 03:40:30PM -0400, Matt Causey wrote:
>      > (gdb) print *bss
>      > $8 = {list = {next = 0x1ac0f00, prev = 0x964000}, list_id = {next =
>      > 0x163d0028, prev = 0x40895}, id = 0, scan_miss_count = 0,
>      >   last_update_idx = 0, flags = 0, bssid = "\000\000\177\004\000\020",
>      > hessid = "\000\000\205\036\000",
>      >   ssid =
>      > "\217\000\017\000?\003Y\000OAK3-IDF16-NN6-\000\000\000\000?\226\006\000@",
>      > ssid_len = 721046, freq = 1342183645, beacon_int = 754,
>      >   caps = 257, qual = -1543307136, noise = -1540947968, level = 1128398848,
>      > tsf = 494551736790417502, last_update = {sec = 26624000,
>      >     usec = 98370561}, anqp = 0x3964000, ie_len = 384261, beacon_ie_len =
>      > 151754304}
>
>     This has clearly been overwritten with something and based on those
>     values, I'd assume that this something has been other frames. For
>     example, ie_len = 384261 = 0x05DD05 which looks like a very possible IE
>     contents in a scan result.. As do the other values like 151754304 =
>     0x90B9640 and 98370561 = 0x05DD0401.
>
>     Either the pointer is invalid (e.g., pointing to previously freed
>     memory that happened to include another BSS entry, but with a bit
>     different offsets) or another frame update ended up going over a full
>     BSS entry. I'm hoping on valgrind being helpful here.
>
>
> So perhaps I'm revealing my ignorance here, but I cannot repro this segfault under valgrind:
>
> sudo valgrind wpa_supplicant -t -Dnl80211 -onl80211 -dddd -i wlan0 -c /var/tmp/nerf.conf
>
> Is there something I'm missing here?

Valgrind will slow things down considerably, which can mask
(or exacerbate) race conditions and other asynchronous activity.
You might try turning off excessive logging in supplicant to
decrease CPU load under valgrind.

If you stop valgrind (nicely), do you get any useful logs
about memory leaks to related problems?

Thanks,
Ben

>
> --
> Matt
>
>
>
>
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>


-- 
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

More information about the HostAP mailing list