wpa_supplicant segmentation fault

Jouni Malinen j
Mon Mar 2 10:35:40 PST 2009


On Wed, Feb 25, 2009 at 08:22:12AM +0200, Cristian NAVALICI wrote:

> #0  0x00002ae783bb947b in memcpy () from /lib64/libc.so.6
> #1  0x0000000000431f5c in wpa_driver_ralink_get_scan_results (priv=0x1432cd10, results=0x14340400, max_size=<value optimized out>) at ../src/drivers/driver_ralink.c:1113

> So, the problem is the line 1113 with the os_memcpy or something like
> this. How can I debug it further?

Thanks. I would assume that wbi->Ssid.SsidLength is corrupted and the
memcopy ends up reading and writing who knows how many bytes in this
case.

Dumping the data buffer from the driver would be a good next step to
figure out what exactly is happening here:


diff --git a/src/drivers/driver_ralink.c b/src/drivers/driver_ralink.c
index e9313cb..a4b8f27 100644
--- a/src/drivers/driver_ralink.c
+++ b/src/drivers/driver_ralink.c
@@ -1105,6 +1105,8 @@ wpa_driver_ralink_get_scan_results(void *priv,
 		return -1;
 	}
 
+	wpa_hexdump(MSG_DEBUG, "OID_802_11_BSSID_LIST data",
+		    buf, iwr.u.data.length);
 	os_memset(results, 0, max_size * sizeof(struct wpa_scan_result));
 
 	for (ap_num = 0, wbi = wsr->Bssid; ap_num < wsr->NumberOfItems;

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list