wpa_supplicant segfault in large WLAN
Jouni Malinen
j
Thu Sep 26 12:37:51 PDT 2013
On Thu, Sep 26, 2013 at 03:15:47PM -0400, Matt Causey wrote:
> (gdb) print bss
> $1 = (const struct wpa_bss *) 0x8ada590
> (gdb) print pos
> $2 = (const u8 *) 0x8ae6fff ""
> (gdb) print end
> $3 = (const u8 *) 0x8b38315 <Address 0x8b38315 out of bounds>
Lovely. This was indeed corruption somewhere else like I assumed.
bss->ie_len is something in the neighborhood of 375 kB. Things crashed
when reading about 50 kB into it.. ;-) So yes, obviously that ie_len is
not correct. The difficult part is in figuring out when it become
incorrect, though. valgrind could help, but not necessarily.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list