[PATCH 0/2] RFC - support P2P group removal on ctrl_iface

Jouni Malinen j
Sat Oct 18 07:53:03 PDT 2014 

On Tue, Oct 14, 2014 at 06:34:41PM +0100, Toby Gray wrote:
> I've noticed that it's possible to get wpa_supplicant to access
> already free'd memory by doing the following:
> 
> * Form a P2P connection
> 
> * Connect to wpa_supplicant on the ctrl_iface for the P2P interface
>   (e.g. p2p-wlan0-1).
> 
> * Send wpa_supplicant a "P2P_REMOVE_GROUP *" command

Thanks for reporting this. As far as this sequence is concerned, you
should not really be doing that, i.e., that command is supposed to be
issued through the global control interface or the interface that was
used to request the group to be started. Anyway, obviously this should
not access freed memory, so that needs to be fixed.

> The first patch adds a test case for this. The test case does trigger
> a SEGV in logs/current/log5 (or valgrind warnings) but this doesn't
> seem to cause a test failure. Is that expected behaviour for the
> wpa_supplicant tests?

SEGV should have resulted in failure pretty quickly (though, I did not
see SEGV in my test runs). valgrind reports are processed only after the
full test run when stopping the processed, so for those, this was
expected. Anyway, the test case should really not ignore the timeout
from P2P_REMOVE_GROUP call. I removed the try/except part there and
applied this.

> The second patch isn't really a serious suggestion for a fix to the
> issue, but just a quick hack to confirm that the problem was really as
> I thought.
> 
> Any suggestions on a fix which isn't a nasty hack are welcomed (and
> I'm happy to create a suitable patch, I just need a suggestion for the
> direction to take).

This requires freeing the wpa_s instance from an eloop callback after
the control interface command has been completed. That is not exactly
ideal, but anyway, it's fine for avoiding the use of freed memory taken
into account this control interface operation should not really be
issued on the P2P group interface in the first place. I fixed this in
hostap.git.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list