wpa_supplicant segfault in large WLAN
Ben Greear
greearb
Thu Sep 26 12:06:09 PDT 2013
On 09/26/2013 12:03 PM, Matt Causey wrote:
> Another detail that may or may not be of interest is that most of these access points are 4x4:3 APs - which may or may not affect what's in the IE on the beacons.
What chipset, if I may ask? Might want to get some to play with :)
> /**
> * wpa_bss_get_vendor_ie - Fetch a vendor information element from a BSS entry
> * @bss: BSS table entry
> * @vendor_type: Vendor type (four octets starting the IE payload)
> * Returns: Pointer to the information element (id field) or %NULL if not found
> *
> * This function returns the first matching information element in the BSS
> * entry.
> */
> const u8 * wpa_bss_get_vendor_ie(const struct wpa_bss *bss, u32 vendor_type)
> {
> const u8 *end, *pos;
>
> pos = (const u8 *) (bss + 1);
> end = pos + bss->ie_len;
>
> while (pos + 1 < end) {
> if (pos + 2 + pos[1] > end) <-------- **LINE 912**
> break;
Use gdb to print out *bss, pos, end.
Looks like something is probably walking off the end of the bss info
I'd guess.
Thanks,
Ben
--
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc http://www.candelatech.com
More information about the Hostap
mailing list