<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, Sep 26, 2013 at 3:06 PM, Ben Greear <span dir="ltr"><<a href="mailto:greearb@candelatech.com" target="_blank">greearb@candelatech.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="im">On 09/26/2013 12:03 PM, Matt Causey wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Another detail that may or may not be of interest is that most of these access points are 4x4:3 APs - which may or may not affect what's in the IE on the beacons.<br>
</blockquote>
<br></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">What chipset, if I may ask? Might want to get some to play with :)</blockquote>
</div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="im"><br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
/**<br>
* wpa_bss_get_vendor_ie - Fetch a vendor information element from a BSS entry<br>
* @bss: BSS table entry<br>
* @vendor_type: Vendor type (four octets starting the IE payload)<br>
* Returns: Pointer to the information element (id field) or %NULL if not found<br>
*<br>
* This function returns the first matching information element in the BSS<br>
* entry.<br>
*/<br>
const u8 * wpa_bss_get_vendor_ie(const struct wpa_bss *bss, u32 vendor_type)<br>
{<br>
const u8 *end, *pos;<br>
<br>
pos = (const u8 *) (bss + 1);<br>
end = pos + bss->ie_len;<br>
<br>
while (pos + 1 < end) {<br>
if (pos + 2 + pos[1] > end) <-------- **LINE 912**<br>
break;<br>
</blockquote>
<br></div>
Use gdb to print out *bss, pos, end.<br>
<br>
Looks like something is probably walking off the end of the bss info<br>
I'd guess.<br>
<br>
<br></blockquote><div>Thanks for the hand-holding, Ben - this is a great learning experience for me. :-) here's the data:<br><br>Program received signal SIGSEGV, Segmentation fault.<br>[Switching to Thread 0xb73ae6c0 (LWP 5452)]<br>
wpa_bss_get_vendor_ie (bss=0x8ada590, vendor_type=5304833) at bss.c:912<br>912 bss.c: No such file or directory.<br> in bss.c<br>(gdb) bt<br>#0 wpa_bss_get_vendor_ie (bss=0x8ada590, vendor_type=5304833) at bss.c:912<br>
#1 0x08086de9 in wpas_select_network_from_last_scan (wpa_s=0x8a87468) at events.c:645<br>#2 0x08087e23 in _wpa_supplicant_event_scan_results (wpa_s=0x8a87468, data=0xa) at events.c:1186<br>#3 0x08087ed3 in wpa_supplicant_event_scan_results (wpa_s=0x8ae7000, data=0x0) at events.c:1269<br>
#4 0x0808893d in wpa_supplicant_event (ctx=0x8a87468, event=EVENT_SCAN_RESULTS, data=0xbfce7d48) at events.c:2438<br>#5 0x08099371 in send_scan_event (drv=0x8a87fb8, aborted=145535476, tb=0xbfce8660) at ../src/drivers/driver_nl80211.c:1679<br>
#6 0x08099d4b in do_process_drv_event (bss=0x8a880ac, cmd=34, tb=0xbfce8660) at ../src/drivers/driver_nl80211.c:2201<br>#7 0x0809a4fc in process_global_event (msg=0x8a8b4c8, arg=0x8a87f00) at ../src/drivers/driver_nl80211.c:2346<br>
#8 0xb76fe47c in nl_cb_call () from /usr/local/lib/libnl.so.1<br>#9 0xb76feb7a in nl_recvmsgs () from /usr/local/lib/libnl.so.1<br>#10 0x08055173 in eloop_sock_table_dispatch (table=0x80b8bc8, fds=0x8a932e0) at ../src/utils/eloop.c:393<br>
#11 0x08055a08 in eloop_run () at ../src/utils/eloop.c:769<br>#12 0x0808163e in wpa_supplicant_run (global=0x8a87388) at wpa_supplicant.c:3322<br>#13 0x0808cc94 in main (argc=Cannot access memory at address 0x8ae6fff<br>) at main.c:297<br>
(gdb) print bss<br>$1 = (const struct wpa_bss *) 0x8ada590<br>(gdb) print pos<br>$2 = (const u8 *) 0x8ae6fff ""<br>(gdb) print end<br>$3 = (const u8 *) 0x8b38315 <Address 0x8b38315 out of bounds><br>(gdb) <br>
<br>--<br></div><div>Matt<br></div><div><br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class=""><div class="h5"><br>
<br>
<br>
-- <br>
Ben Greear <<a href="mailto:greearb@candelatech.com" target="_blank">greearb@candelatech.com</a>><br>
Candela Technologies Inc <a href="http://www.candelatech.com" target="_blank">http://www.candelatech.com</a><br>
<br>
</div></div></blockquote></div><br></div></div>