[Bug 138873] Re: "*** stack smashing detected ***: /sbin/wpa_supplicant terminated" with iwl4965

Jouni Malinen j
Tue Sep 25 19:59:01 PDT 2007

On Sat, Sep 15, 2007 at 09:18:24AM +0200, Reinhard Tartler wrote:
> Kees Cook <kees at ubuntu.com> writes:
> >   * Add debian/patches/90_fix_wext_tsf_stack_overflow.dpatch: correct
> >     buffer size limit on hexstr2bin call from wext_get_scan_custom
> >     (LP: #138873).

> The file debian/patches/90_fix_wext_tsf_stack_overflow.dpatch has the
> following contents:
> diff -urNad wpasupplicant-0.6.0~/src/drivers/driver_wext.c wpasupplicant-0.6.0/src/drivers/driver_wext.c
> +               bytes /= 2;
>                 hexstr2bin(spos, bin, bytes);

> Can you please comment on it?

This is a correct fix and I've applied it to my git tree. As far as the
buffer overflow is concerned, I'm actually surprised to see that it can
even be hit since this would require the driver to pass an invalid tsf=
custom iwevent in scan results..

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list