hostapd: Segmentation fault when using WPA with nl80211

Jouni Malinen j
Fri Jun 6 06:52:45 PDT 2008


On Fri, Jun 06, 2008 at 04:43:33PM +0300, Jouni Malinen wrote:

> I was able to reproduce this with a bit different test program
> (wpa_supplicant using nl80211 and test code for calling
> i802_get_seqnum() from hostapd when setting GTK). Segmentation fault
> happens on every call to this function and it does indeed seem to happen
> when libnl calls get_key_handler() (NL_CB_CALL(cb, NL_CB_VALID, msg); in
> recvmsgs(), lib/nl.c). I can see NL_CB_CALL macro calling nl_cb_call()
> and the callback function, get_key_handler(), returning. However,
> nl_cb_call() does not return.. valgrind doesn't show very helpful output
> for this even when libnl was built with symbols.

Found and fixed.. It was a buffer overflow in the nla_parse() call. The
destination array (tb) must have maxtype+1 elements, not just maxtype..

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list