Crash while hs20=1 in wpa_supplicant.conf

Shyam shyamms2003
Tue Feb 5 06:10:39 PST 2013


Hi,
I noticed a crash when I enabled hs20=1 in conf file of the
supplicant. The crash referred to the bad address being accessed.
I took a look at the scan.c file, the buffer resize happens for 6
whereas the function wpas_hs20_add_indication adds 7 bytes of
information.

        if (wpa_s->conf->hs20 && wpabuf_resize(&extra_ie, 6) == 0)
                wpas_hs20_add_indication(extra_ie);

The fix should be to increase the resize value to 7 instead of 6,
which fixed the crash.

Thanks,
Shyam



More information about the Hostap mailing list