wpa_supplicant segfault in large WLAN

Jouni Malinen j
Thu Sep 26 12:37:51 PDT 2013

On Thu, Sep 26, 2013 at 03:15:47PM -0400, Matt Causey wrote:
> (gdb) print bss
> $1 = (const struct wpa_bss *) 0x8ada590
> (gdb) print pos
> $2 = (const u8 *) 0x8ae6fff ""
> (gdb) print end
> $3 = (const u8 *) 0x8b38315 <Address 0x8b38315 out of bounds>

Lovely. This was indeed corruption somewhere else like I assumed.
bss->ie_len is something in the neighborhood of 375 kB. Things crashed
when reading about 50 kB into it.. ;-)  So yes, obviously that ie_len is
not correct. The difficult part is in figuring out when it become
incorrect, though. valgrind could help, but not necessarily.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list