wpa_supplicant segmentation fault

[Jouni Malinen]

On Tue, Feb 24, 2009 at 04:42:52PM +0200, Cristian NAVALICI wrote:

> I'm struggling to get up an wireless card (EDIMAX PCI adapter based on
> Ralink RT2561/RT61 802.11g chipset). I managed to install the card
> drivers, everything seems to be ok.

Which drivers are you using?

> wpa_supplicant v0.6.8
> wpa_supplicant -Dralink -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf -dd

Are you sure you need to use the driver specific wrapper (-Dralink)?
Have you tried with the more generic WEXT one (-Dwext)?

> wpa_driver_ralink_get_scan_results
> Segmentation fault

> More debugging info:
> 
> (gdb) run /usr/local/sbin/wpa_supplicant -Dralink -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf 
> Starting program: /usr/local/sbin/wpa_supplicant /usr/local/sbin/wpa_supplicant -Dralink -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf

> Program received signal SIGSEGV, Segmentation fault.
> 0x00002b24e2be647b in memcpy () from /lib64/libc.so.6

Could you please do the same but with backtrace showing the called
functions ('bt' in gdb)?

> This wpa_supplicant is built from the sources, but I tried either with
> packages.
> I run Centos 5.2 64bit version.
> 
> As a curiosity, on the same computer, but with Centos 5 32bit version,
> this seems to work without any problem. So I guess it's related to 64bit
> architecture.

It is possible that the data structure used for the scan results would
not have matching size in the kernel code and wpa_supplicant in some of
the configurations.. It looks like wpa_driver_ralink_get_scan_results()
does not check the values received from the driver, so it might easily
end up trying to copy huge memory areas if there is a mismatch in size
of alignment of the fields.

-- 
Jouni Malinen                                            PGP id EFC895FA