wpa_supplicant segfault in large WLAN

Matt Causey matt.causey
Thu Sep 26 12:03:28 PDT 2013 

Another detail that may or may not be of interest is that most of these
access points are 4x4:3 APs - which may or may not affect what's in the IE
on the beacons.

--
Matt



On Thu, Sep 26, 2013 at 2:45 PM, Matt Causey <matt.causey at gmail.com> wrote:

> On Thu, Sep 26, 2013 at 1:54 PM, Ben Greear <greearb at candelatech.com>wrote:
>
>> On 09/26/2013 09:13 AM, Matt Causey wrote:
>>
>>  On Wed, Sep 25, 2013 at 6:58 PM, Ben Greear <greearb at candelatech.com<mailto:
>>> greearb at candelatech.**com <greearb at candelatech.com>>> wrote:
>>>
>>>     On 09/25/2013 03:51 PM, Matt Causey wrote:
>>>
>>>         Hello,
>>>
>>>         We run wpa_supplicant on embedded machines and have today
>>> noticed that the supplicant dies with segmentation fault.  We are seeing
>>> sporadic timeouts
>>>         from the
>>>         infrastructure as well, which may or may not be related.  The
>>> only change on our side is that we installed in a very dense RF environment
>>> with a large
>>>         number of
>>>         BSSIDs.  Are there any details pertaining to BSSID count or
>>> beacon count that could cause a segmentation fault?  I'll start looking in
>>> the code but
>>>         wanted to
>>>         ask first so that hopefully someone can point me in a more
>>> useful direction.  :-)
>>>
>>>         Here is a log snippet.  It's got to be abbreviated because in
>>> some cases we have over 988 BSSIDs visible from the client:
>>>
>>>
>>>     Can you get a core dump and backtrace (and maybe more info from gdb
>>> once
>>>     we see the backtrace?)
>>>
>>>
>>> OK so I did get some info.  It might appear that there is some new
>>> Information Element in the beacons in this RF environment that's causing
>>> the segfault.  Not sure:
>>>
>>> sudo gdb wpa_supplicant
>>> GNU gdb 6.8
>>> Copyright (C) 2008 Free Software Foundation, Inc.
>>> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.
>>> **html <http://gnu.org/licenses/gpl.html>>
>>> This is free software: you are free to change and redistribute it.
>>> There is NO WARRANTY, to the extent permitted by law.  Type "show
>>> copying"
>>> and "show warranty" for details.
>>> This GDB was configured as "i686-pc-linux-gnu"...
>>> (gdb) run -s -t -Dnl80211 -onl80211 -ddd -i wlan0 -c /var/tmp/nerf.conf
>>> Starting program: /usr/local/sbin/wpa_supplicant -s -t -Dnl80211
>>> -onl80211 -ddd -i wlan0 -c /var/tmp/nerf.conf
>>> [Thread debugging using libthread_db enabled]
>>> 1380211578.212081: ssid - hexdump_ascii(len=7):
>>>       61 73 69 6e 32 38 32                              asin282
>>> 1380211578.212199: bgscan - hexdump_ascii(len=19):
>>>       73 69 6d 70 6c 65 3a 36 30 30 3a 2d 36 36 3a 31   simple:600:-66:1
>>>       32 30 30                                          200
>>> [removed]
>>> 1380211578.212699: private_key_passwd - hexdump_ascii(len=29): [REMOVED]
>>> 1380211578.335831: nl80211: Scan SSID - hexdump_ascii(len=0): [NULL]
>>>
>>> 1380211587.924526:   * SSID - hexdump_ascii(len=7):
>>>       61 73 69 6e 32 38 32                              asin282
>>> 1380211588.042745: nl80211: Scan SSID - hexdump_ascii(len=0): [NULL]
>>> 1380211589.147182:   * SSID - hexdump_ascii(len=7):
>>>       61 73 69 6e 32 38 32                              asin282
>>>
>>> 1380211589.247747: nl80211: Scan SSID - hexdump_ascii(len=0): [NULL]
>>> 1380211590.105423:   * SSID - hexdump_ascii(len=7):
>>>       61 73 69 6e 32 38 32                              asin282
>>> 1380211590.222784: nl80211: Scan SSID - hexdump_ascii(len=0): [NULL]
>>> [New Thread 0xb73dc6c0 (LWP 16180)]
>>>
>>> Program received signal SIGSEGV, Segmentation fault.
>>> [Switching to Thread 0xb73dc6c0 (LWP 16180)]
>>> wpa_bss_get_vendor_ie (bss=0x87c0a40, vendor_type=5304833) at bss.c:912
>>> 912    bss.c: No such file or directory.
>>>      in bss.c
>>> (gdb)
>>> (gdb)
>>> (gdb)
>>>
>>>
>>> (gdb) bt
>>> #0  wpa_bss_get_vendor_ie (bss=0x87c0a40, vendor_type=5304833) at
>>> bss.c:912
>>> #1  0x08086de9 in wpas_select_network_from_last_**scan
>>> (wpa_s=0x876f468) at events.c:645
>>> #2  0x08087e23 in _wpa_supplicant_event_scan_**results
>>> (wpa_s=0x876f468, data=0xa) at events.c:1186
>>> #3  0x08087ed3 in wpa_supplicant_event_scan_**results (wpa_s=0x87cf000,
>>> data=0x0) at events.c:1269
>>> #4  0x0808893d in wpa_supplicant_event (ctx=0x876f468,
>>> event=EVENT_SCAN_RESULTS, data=0xbffbe438) at events.c:2438
>>> #5  0x08099371 in send_scan_event (drv=0x876ffb8, aborted=142320980,
>>> tb=0xbffbed50) at ../src/drivers/driver_nl80211.**c:1679
>>> #6  0x08099d4b in do_process_drv_event (bss=0x87700ac, cmd=34,
>>> tb=0xbffbed50) at ../src/drivers/driver_nl80211.**c:2201
>>> #7  0x0809a4fc in process_global_event (msg=0x87734d0, arg=0x876ff00) at
>>> ../src/drivers/driver_nl80211.**c:2346
>>> #8  0xb772c47c in nl_cb_call () from /usr/local/lib/libnl.so.1
>>> #9  0xb772cb7a in nl_recvmsgs () from /usr/local/lib/libnl.so.1
>>> #10 0x08055173 in eloop_sock_table_dispatch (table=0x80b8bc8,
>>> fds=0x877b2e8) at ../src/utils/eloop.c:393
>>> #11 0x08055a08 in eloop_run () at ../src/utils/eloop.c:769
>>> #12 0x0808163e in wpa_supplicant_run (global=0x876f388) at
>>> wpa_supplicant.c:3322
>>> #13 0x0808cc94 in main (argc=Cannot access memory at address 0x87cefff
>>> ) at main.c:297
>>> (gdb)
>>>
>>>
>>>   Thoughts?
>>>
>>
>> Post a tarball of your source somewhere and/or show bss.c line 912 and
>> surrounding lines.
>>
>>
> Referencing the latest code, it's this line:
>
>
> http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob;f=wpa_supplicant/bss.c;h=0e1576b0fde1a71f2478665594631bac4fed28bf;hb=HEAD#l991
>
> Referencing wpa_supplicant-2.0, which we're using unmodified, here's the
> function:
>
>
> /**
>  * wpa_bss_get_vendor_ie - Fetch a vendor information element from a BSS
> entry
>  * @bss: BSS table entry
>  * @vendor_type: Vendor type (four octets starting the IE payload)
>  * Returns: Pointer to the information element (id field) or %NULL if not
> found
>  *
>  * This function returns the first matching information element in the BSS
>  * entry.
>  */
> const u8 * wpa_bss_get_vendor_ie(const struct wpa_bss *bss, u32
> vendor_type)
> {
>     const u8 *end, *pos;
>
>     pos = (const u8 *) (bss + 1);
>     end = pos + bss->ie_len;
>
>     while (pos + 1 < end) {
>         if (pos + 2 + pos[1] > end)   <--------  **LINE 912**
>             break;
>         if (pos[0] == WLAN_EID_VENDOR_SPECIFIC && pos[1] >= 4 &&
>             vendor_type == WPA_GET_BE32(&pos[2]))
>             return pos;
>         pos += 2 + pos[1];
>     }
>
>     return NULL;
> }
>
> Cheers,
>
>  --
> Matt
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20130926/067c34ba/attachment-0001.htm>

More information about the Hostap mailing list