Stack overflow crash in interworking due to recursion
j at w1.fi
Fri Jan 16 19:18:53 EST 2015
On Fri, Jan 16, 2015 at 06:10:42PM +0100, Olsson, Ola wrote:
> We have observed a crash in the supplicant related to interworking on Android 5.
> The stack trace looks like follows and we are not able to reproduce it manually (call chain goes upwards)
I was able to reproduce the loop and write an automated test case for
it, but my test build did not actually manage to run out of stack space
for some reason. Anyway, it did result in a five second busy loop
(followed by a scan and repeat..), so obviously not exactly desired
This can be hit when auto_interworking=1 is used and there are no new
APs to query with ANQP and there is a BSS in scan result that has an
SSID matching one of the enabled network profiles, but not fully
matching security parameters.
> I was thinking about removing the call to "wpa_supplicant_fast_associate" in "interworking_reconnect" but if you have any better suggestions, please do tell.
While that would get rid of this issue, it would also disable a
significant optimization in Interworking connection speed. It's better
to modify this logic in a way that allows the fast path (i.e., skip a
new scan) to be used only once. This commit does that:
In addition, I added another small change to reduce stack use:
Strictly speaking this commit is not required to avoid the main issue
here, but there is not much need for keeping so long call paths and
breaking them up with an eloop callback can be quite convenient
especially when there was already an existing callback handler that can
be reused for this. This gives some additional protection should similar
loops be possible in some other sequences (not that I found any when
reviewing this area).
Jouni Malinen PGP id EFC895FA
More information about the HostAP