wpa_supplicant segfault in large WLAN

Jouni Malinen j
Fri Sep 27 06:13:21 PDT 2013

On Thu, Sep 26, 2013 at 09:37:54PM -0400, Matt Causey wrote:
> I can't seem to do anything that will cause this segfault to happen
> w/valgrind.  :-(  What do you think about this:
> ==25997== ERROR SUMMARY: 155711 errors from 129 contexts (suppressed: 27
> from 6)
> I've attached the full and compressed valgrind log, though it may end up
> being scrubbed by the server.

Thanks! This is a good example where valgrind ends up hiding the
segfault when a program accesses freed memory. Such a bug is a critical
issue always so it does not really matter whether the program crashes or
not (with or without valgrind).

I was able to reproduce this by replaying the scan results and the
configuration you were using. The issue is triggered by a removal of the
oldest BSS entry at a very inconvenient time and yes, this was very much
related to the large number of BSSes in the scan results. For this to
show up, you would need to have at least 200 BSSes that match a network
configuration block in the scan results. And well, you did have 739 such
BSSes.. ;-)

This commit fixes the issue:

In addition, while reviewing the implementation, I found another
potential issue that could result in somewhat similar problems. Though,
I don't think this should happen with nl80211 driver interface. Anyway,
the fix is here:

Please let me know if these address the issues you were seeing.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list