<div dir="ltr">On Thu, Sep 26, 2013 at 4:29 PM, Jouni Malinen <span dir="ltr"><<a href="mailto:j@w1.fi" target="_blank">j@w1.fi</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="im">On Thu, Sep 26, 2013 at 03:40:30PM -0400, Matt Causey wrote:<br>
> (gdb) print *bss<br>
> $8 = {list = {next = 0x1ac0f00, prev = 0x964000}, list_id = {next =<br>
> 0x163d0028, prev = 0x40895}, id = 0, scan_miss_count = 0,<br>
> last_update_idx = 0, flags = 0, bssid = "\000\000\177\004\000\020",<br>
> hessid = "\000\000\205\036\000",<br>
> ssid =<br>
> "\217\000\017\000?\003Y\000OAK3-IDF16-NN6-\000\000\000\000?\226\006\000@",<br>
> ssid_len = 721046, freq = 1342183645, beacon_int = 754,<br>
> caps = 257, qual = -1543307136, noise = -1540947968, level = 1128398848,<br>
> tsf = 494551736790417502, last_update = {sec = 26624000,<br>
> usec = 98370561}, anqp = 0x3964000, ie_len = 384261, beacon_ie_len =<br>
> 151754304}<br>
<br>
</div>This has clearly been overwritten with something and based on those<br>
values, I'd assume that this something has been other frames. For<br>
example, ie_len = 384261 = 0x05DD05 which looks like a very possible IE<br>
contents in a scan result.. As do the other values like 151754304 =<br>
0x90B9640 and 98370561 = 0x05DD0401.<br>
<br>
Either the pointer is invalid (e.g., pointing to previously freed<br>
memory that happened to include another BSS entry, but with a bit<br>
different offsets) or another frame update ended up going over a full<br>
BSS entry. I'm hoping on valgrind being helpful here.<br>
<br></blockquote><div><br></div><div>So perhaps I'm revealing my ignorance here, but I cannot repro this segfault under valgrind:<br><br>sudo valgrind wpa_supplicant -t -Dnl80211 -onl80211 -dddd -i wlan0 -c /var/tmp/nerf.conf<br>
<br></div><div>Is there something I'm missing here?<br><br>--<br></div><div>Matt<br><br></div><div><br></div></div></div></div>