wpa_supplicant segfault in large WLAN
Jouni Malinen
j
Thu Sep 26 13:29:19 PDT 2013
On Thu, Sep 26, 2013 at 03:40:30PM -0400, Matt Causey wrote:
> (gdb) print *bss
> $8 = {list = {next = 0x1ac0f00, prev = 0x964000}, list_id = {next =
> 0x163d0028, prev = 0x40895}, id = 0, scan_miss_count = 0,
> last_update_idx = 0, flags = 0, bssid = "\000\000\177\004\000\020",
> hessid = "\000\000\205\036\000",
> ssid =
> "\217\000\017\000?\003Y\000OAK3-IDF16-NN6-\000\000\000\000?\226\006\000@",
> ssid_len = 721046, freq = 1342183645, beacon_int = 754,
> caps = 257, qual = -1543307136, noise = -1540947968, level = 1128398848,
> tsf = 494551736790417502, last_update = {sec = 26624000,
> usec = 98370561}, anqp = 0x3964000, ie_len = 384261, beacon_ie_len =
> 151754304}
This has clearly been overwritten with something and based on those
values, I'd assume that this something has been other frames. For
example, ie_len = 384261 = 0x05DD05 which looks like a very possible IE
contents in a scan result.. As do the other values like 151754304 =
0x90B9640 and 98370561 = 0x05DD0401.
Either the pointer is invalid (e.g., pointing to previously freed
memory that happened to include another BSS entry, but with a bit
different offsets) or another frame update ended up going over a full
BSS entry. I'm hoping on valgrind being helpful here.
There were a bug or two that could have produced something like this,
but I checked that those had already been fixed prior to 2.0 release.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list