<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, Sep 26, 2013 at 1:54 PM, Ben Greear <span dir="ltr"><<a href="mailto:greearb@candelatech.com" target="_blank">greearb@candelatech.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 09/26/2013 09:13 AM, Matt Causey wrote:<div><div class="h5"><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
On Wed, Sep 25, 2013 at 6:58 PM, Ben Greear <<a href="mailto:greearb@candelatech.com" target="_blank">greearb@candelatech.com</a> <mailto:<a href="mailto:greearb@candelatech.com" target="_blank">greearb@candelatech.<u></u>com</a>>> wrote:<br>
<br>
On 09/25/2013 03:51 PM, Matt Causey wrote:<br>
<br>
Hello,<br>
<br>
We run wpa_supplicant on embedded machines and have today noticed that the supplicant dies with segmentation fault. We are seeing sporadic timeouts<br>
from the<br>
infrastructure as well, which may or may not be related. The only change on our side is that we installed in a very dense RF environment with a large<br>
number of<br>
BSSIDs. Are there any details pertaining to BSSID count or beacon count that could cause a segmentation fault? I'll start looking in the code but<br>
wanted to<br>
ask first so that hopefully someone can point me in a more useful direction. :-)<br>
<br>
Here is a log snippet. It's got to be abbreviated because in some cases we have over 988 BSSIDs visible from the client:<br>
<br>
<br>
Can you get a core dump and backtrace (and maybe more info from gdb once<br>
we see the backtrace?)<br>
<br>
<br>
OK so I did get some info. It might appear that there is some new Information Element in the beacons in this RF environment that's causing the segfault. Not sure:<br>
<br>
sudo gdb wpa_supplicant<br>
GNU gdb 6.8<br>
Copyright (C) 2008 Free Software Foundation, Inc.<br>
License GPLv3+: GNU GPL version 3 or later <<a href="http://gnu.org/licenses/gpl.html" target="_blank">http://gnu.org/licenses/gpl.<u></u>html</a>><br>
This is free software: you are free to change and redistribute it.<br>
There is NO WARRANTY, to the extent permitted by law. Type "show copying"<br>
and "show warranty" for details.<br>
This GDB was configured as "i686-pc-linux-gnu"...<br>
(gdb) run -s -t -Dnl80211 -onl80211 -ddd -i wlan0 -c /var/tmp/nerf.conf<br>
Starting program: /usr/local/sbin/wpa_supplicant -s -t -Dnl80211 -onl80211 -ddd -i wlan0 -c /var/tmp/nerf.conf<br>
[Thread debugging using libthread_db enabled]<br>
1380211578.212081: ssid - hexdump_ascii(len=7):<br>
61 73 69 6e 32 38 32 asin282<br>
1380211578.212199: bgscan - hexdump_ascii(len=19):<br>
73 69 6d 70 6c 65 3a 36 30 30 3a 2d 36 36 3a 31 simple:600:-66:1<br>
32 30 30 200<br>
[removed]<br>
1380211578.212699: private_key_passwd - hexdump_ascii(len=29): [REMOVED]<br>
1380211578.335831: nl80211: Scan SSID - hexdump_ascii(len=0): [NULL]<br>
<br>
1380211587.924526: * SSID - hexdump_ascii(len=7):<br>
61 73 69 6e 32 38 32 asin282<br>
1380211588.042745: nl80211: Scan SSID - hexdump_ascii(len=0): [NULL]<br>
1380211589.147182: * SSID - hexdump_ascii(len=7):<br>
61 73 69 6e 32 38 32 asin282<br>
<br>
1380211589.247747: nl80211: Scan SSID - hexdump_ascii(len=0): [NULL]<br>
1380211590.105423: * SSID - hexdump_ascii(len=7):<br>
61 73 69 6e 32 38 32 asin282<br>
1380211590.222784: nl80211: Scan SSID - hexdump_ascii(len=0): [NULL]<br>
[New Thread 0xb73dc6c0 (LWP 16180)]<br>
<br>
Program received signal SIGSEGV, Segmentation fault.<br>
[Switching to Thread 0xb73dc6c0 (LWP 16180)]<br>
wpa_bss_get_vendor_ie (bss=0x87c0a40, vendor_type=5304833) at bss.c:912<br>
912 bss.c: No such file or directory.<br>
in bss.c<br>
(gdb)<br>
(gdb)<br>
(gdb)<br>
<br>
<br>
(gdb) bt<br>
#0 wpa_bss_get_vendor_ie (bss=0x87c0a40, vendor_type=5304833) at bss.c:912<br>
#1 0x08086de9 in wpas_select_network_from_last_<u></u>scan (wpa_s=0x876f468) at events.c:645<br>
#2 0x08087e23 in _wpa_supplicant_event_scan_<u></u>results (wpa_s=0x876f468, data=0xa) at events.c:1186<br>
#3 0x08087ed3 in wpa_supplicant_event_scan_<u></u>results (wpa_s=0x87cf000, data=0x0) at events.c:1269<br>
#4 0x0808893d in wpa_supplicant_event (ctx=0x876f468, event=EVENT_SCAN_RESULTS, data=0xbffbe438) at events.c:2438<br>
#5 0x08099371 in send_scan_event (drv=0x876ffb8, aborted=142320980, tb=0xbffbed50) at ../src/drivers/driver_nl80211.<u></u>c:1679<br>
#6 0x08099d4b in do_process_drv_event (bss=0x87700ac, cmd=34, tb=0xbffbed50) at ../src/drivers/driver_nl80211.<u></u>c:2201<br>
#7 0x0809a4fc in process_global_event (msg=0x87734d0, arg=0x876ff00) at ../src/drivers/driver_nl80211.<u></u>c:2346<br>
#8 0xb772c47c in nl_cb_call () from /usr/local/lib/libnl.so.1<br>
#9 0xb772cb7a in nl_recvmsgs () from /usr/local/lib/libnl.so.1<br>
#10 0x08055173 in eloop_sock_table_dispatch (table=0x80b8bc8, fds=0x877b2e8) at ../src/utils/eloop.c:393<br>
#11 0x08055a08 in eloop_run () at ../src/utils/eloop.c:769<br>
#12 0x0808163e in wpa_supplicant_run (global=0x876f388) at wpa_supplicant.c:3322<br>
#13 0x0808cc94 in main (argc=Cannot access memory at address 0x87cefff<br>
) at main.c:297<br>
(gdb)<br>
<br>
<br>
Thoughts?<br>
</blockquote>
<br></div></div>
Post a tarball of your source somewhere and/or show bss.c line 912 and surrounding lines.<br>
<br></blockquote><div><br></div><div>Referencing the latest code, it's this line:<br><br><a href="http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob;f=wpa_supplicant/bss.c;h=0e1576b0fde1a71f2478665594631bac4fed28bf;hb=HEAD#l991">http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob;f=wpa_supplicant/bss.c;h=0e1576b0fde1a71f2478665594631bac4fed28bf;hb=HEAD#l991</a><br>
<br></div><div>Referencing wpa_supplicant-2.0, which we're using unmodified, here's the function:<br><br><br>/**<br> * wpa_bss_get_vendor_ie - Fetch a vendor information element from a BSS entry<br> * @bss: BSS table entry<br>
* @vendor_type: Vendor type (four octets starting the IE payload)<br> * Returns: Pointer to the information element (id field) or %NULL if not found<br> *<br> * This function returns the first matching information element in the BSS<br>
* entry.<br> */<br>const u8 * wpa_bss_get_vendor_ie(const struct wpa_bss *bss, u32 vendor_type)<br>{<br> const u8 *end, *pos;<br><br> pos = (const u8 *) (bss + 1);<br> end = pos + bss->ie_len;<br><br> while (pos + 1 < end) {<br>
if (pos + 2 + pos[1] > end) <-------- **LINE 912**<br> break;<br> if (pos[0] == WLAN_EID_VENDOR_SPECIFIC && pos[1] >= 4 &&<br> vendor_type == WPA_GET_BE32(&pos[2]))<br>
return pos;<br> pos += 2 + pos[1];<br> }<br><br> return NULL;<br>}<br><br></div><div>Cheers,<br><br></div><div> --<br></div><div>Matt<br><br></div></div></div></div>