eapol_test crashes starting with June 2025 commit 1adffc200

Fri Nov 21 08:30:41 PST 2025

This commit from 2025-06-25 seems to crash eapol_test:
    SCS: Renegotiate configured SCS policies with new AP after roaming
    https://git.w1.fi/cgit/hostap/commit/?id=1adffc2003ff4fd7a3f829d14b0fda6c07a27f1d

When tested with the parent commit  66df12a90..., eapol_test works.
The crash happens with the current main and based on a couple of
compiles between now and 2025-06-25, the crash has been present since
June.

When RADIUS Access-Accept with EAP Success is received, eapol_test
crashes just before exiting.
When authentication fails with Access-Reject and EAP Failure,
eapol_test does not crash.

% ~/src/hostap/wpa_supplicant/eapol_test -v
eapol_test v2.12-devel-hostap_2_11-945-g1adffc200

% ~/src/hostap/wpa_supplicant/eapol_test -c eapol-eap-md5.conf -s testing123 -n
[cut full output, will send if needed]
    EAP: Received EAP-Success
    EAP: Status notification: completion (param=success)
    EAP: EAP entering state SUCCESS
    CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
    EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
    WPA: EAPOL processing complete
    Cancelling authentication timeout
    State: DISCONNECTED -> COMPLETED
    zsh: segmentation fault  ~/src/hostap/wpa_supplicant/eapol_test -c
eapol-eap-md5.conf -s testing123 -n

Compared to the aforementioned parent commit, a working eapol_test
logs the following additional lines after 'State: ...' before exiting
successfully:

    EAPOL: SUPP_PAE entering state AUTHENTICATED
    EAPOL: SUPP_BE entering state RECEIVE
    EAPOL: SUPP_BE entering state SUCCESS
    EAPOL: SUPP_BE entering state IDLE
    eapol_sm_cb: result=1
    EAPOL: EAP key not available
    EAPOL: EAP Session-Id not available
    WPA: Clear old PMK and PTK
    EAP: deinitialize previously used EAP method (4, MD5) at EAP deinit
    MPPE keys OK: 0  mismatch: 0
    SUCCESS

The test setup is the same as described here
https://lists.infradead.org/pipermail/hostap/2025-February/043331.html
In short:
- EAP-MD5 for simplicity - crash is similar with other EPA methods
- Stock FreeRADIUS as server, installed from Mac Homebrew
- eapol_test config is the same as in February

Here's more information from a debugger run. CFLAGS were set to '-MMD
-Wall -g' for avoiding '-O2'.

EAP: Received EAP-Success
EAP: Status notification: completion (param=success)
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
WPA: EAPOL processing complete
Cancelling authentication timeout
State: DISCONNECTED -> COMPLETED
Process 6442 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason =
EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x00000001000ef098
eapol_test`dl_list_len(list=0x000000016fdfeb20) at list.h:58:53
   55   {
   56           struct dl_list *item;
   57           int count = 0;
-> 58           for (item = list->next; item != list; item = item->next)
   59                   count++;
   60           return count;
   61   }
Target 0: (eapol_test) stopped.
(lldb) p *list
(const dl_list) {
  next = NULL
  prev = NULL
}
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason =
EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001000ef098
eapol_test`dl_list_len(list=0x000000016fdfeb20) at list.h:58:53
    frame #1: 0x00000001000ee908
eapol_test`wpa_supplicant_set_state(wpa_s=0x000000016fdfd960,
state=WPA_COMPLETED) at wpa_supplicant.c:1281:32
    frame #2: 0x0000000100120a08
eapol_test`eapol_test_eapol_done_cb(ctx=0x0000000100170808) at
eapol_test.c:352:2
    frame #3: 0x0000000100093a00
eapol_test`sm_SUPP_PAE_Step(sm=0x0000000100e8fe40) at
eapol_supp_sm.c:417:5
    frame #4: 0x0000000100093494
eapol_test`eapol_sm_step(sm=0x0000000100e8fe40) at
eapol_supp_sm.c:989:3
    frame #5: 0x0000000100094af4
eapol_test`eapol_sm_rx_eapol(sm=0x0000000100e8fe40, src="",
buf="\U00000002", len=8, encrypted=FRAME_ENCRYPTION_UNKNOWN) at
eapol_supp_sm.c:1393:4
    frame #6: 0x00000001001204e8
eapol_test`ieee802_1x_decapsulate_radius(e=0x0000000100170808) at
eapol_test.c:850:3
    frame #7: 0x000000010011fe14
eapol_test`ieee802_1x_receive_auth(msg=0x0000000100e9a360,
req=0x0000000100ea0420, shared_secret="testing123",
shared_secret_len=10, data=0x0000000100170808) at eapol_test.c:964:2
    frame #8: 0x0000000100124d14
eapol_test`radius_client_receive(sock=3, eloop_ctx=0x0000000100e8db90,
sock_ctx=0x0000000000000000) at radius_client.c:1279:9
    frame #9: 0x000000010001db08
eapol_test`eloop_sock_table_dispatch(table=0x0000000100170640,
fds=0x0000000100e9d900) at eloop.c:603:4
    frame #10: 0x000000010001d6e8 eapol_test`eloop_run at eloop.c:1233:3
    frame #11: 0x000000010011e8d4 eapol_test`main(argc=5,
argv=0x000000016fdff300) at eapol_test.c:1586:2
    frame #12: 0x0000000181659d54 dyld`start + 7184
(lldb)

-- 
Heikki Vatiainen
hvn at radiatorsoftware.com