hostapd crash (due to unaligned access)

Pavel Roskin proski
Sun Mar 14 11:32:09 PST 2004


On Sun, 14 Mar 2004, M. Grabert wrote:

> I tracked down the problem in hostapd/receive.c, line 179/180 of current
> CVS of hostap.
>
>     179                 elen = (u16 *) (buf + len - 1);
>     180                 extra_len = le_to_host16(*elen);
>
> The last line is triggering the unaligned trap handler on Linux/PA-RISC.

This code should not be executed at all.  Protocol version 3 is not used
in the driver.  802.11 uses protocol version 0.  hostap driver changes it
to 1 or 2 in hostap_ap_tx_cb(), file hostap_ap.c to pass some information
to hostapd (whether the frame was ACKed).

Protocol 3 is something that the driver doesn't ever pass to hostapd.
The real problem is that you are getting such frames.  See what happens
with fc in hostap_ap_tx_cb().

Try the old hostapd with the new driver and vice versa to see where the
bug was introduced.

You can set debug=3 and daemonize=0 in hostapd.conf and see frames dumps.
Look at the frames with the first byte having bits 0 and 1 set.  You can
post one to the list.

As for that line, it should probably be changed to "elen = (u16 *) (buf +
len - 2);" but it shouldn't matter - this code should not be run at all!

-- 
Regards,
Pavel Roskin




More information about the Hostap mailing list