wpabuf overflow with WPS

Xue Liu xue.liu at dks-koeln.de
Tue May 10 00:18:16 PDT 2016


On 28/04/16 19:06, Jouni Malinen wrote:
> On Thu, Apr 28, 2016 at 01:31:05PM +0200, Xue Liu wrote:
>> I have removed the patch and generate a new hostapd program. Then I
>> run the program with -d option, and there is no wpabuf overflow, but
>> my Nexus 9 still can not make a connection with Clearfog board via
>> WPS. Since the debug info is quite a lot. I put them in the
>> attachment. Thank you.
> Thanks. This looks like something completely different. The client
> device does not seem to even try to associate with the AP. It does go
> through Authentication frame exchange, but then nothing.. The debug
> patch should have no impact on this type of functionality, so it is a
> bit difficult to say what caused this.
>> root at OpenWrt:~# hostapd -d hostapd.cfg
> Or are you maybe running this over a slow serial port connection? If so,
> there will likely be a significant extra latency on operations and it
> would be better to direct the output to a file with something like
> hostapd -dd hostapd.cfg > /tmp/hostapd.log
Yes. I am running hostapd over a serial port connection.
I did another test last few days and I found the problem is not in the 
hostapd but in wps_supplicant. During the connection via WPS, the 
wps_supplicant has "Segmentation fault". I run wpa_supplicant with 
"/usr/sbin/wpa_supplicant -dd -P /var/run/wpa_supplicant-wlan0.pid -D 
nl80211 -i wlan0 -c wpa_supplicant-wlan0.conf -C /var/run/wpa_supplicant".

In addition I compile the wpad with TARGET_CFLAGS += -ggdb3. I run "gdb 
/usr/sbin/wpa_supplicant" and then "run -dd -P 
/var/run/wpa_supplicant-wlan0.pid -D nl80211 -i wlan0 -c 
wpa_supplicant-wlan0.conf -C /var/run/wpa_supplicant“. When segmentation 
fault appears after "WPS: Generate new DH keys", I run "bt".

In the attachment you can find the wpa_supplicant_gdb.log file and 
wps_supplicant-wlan0.conf file. It seems that there is no useful 
backtrace info.

I would like also to say that in the OpenWRT I use wpad package to 
replace wpa_supplicant and hostapd. I am a newbie of it, and I don't 
know what is the differences.


Xue Liu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wpa_supplicant_gdb.log
Type: text/x-log
Size: 22338 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20160510/77682e1e/attachment-0001.bin>
-------------- next part --------------



More information about the Hostap mailing list