Fwd: Segmentation Fault: madwifi and hostapd

Chad Meister chadlich
Sun Jan 29 21:28:41 PST 2006 

Hi,

Thanks for investigating this.  To answer your
questions, I'm running Debian stable with glibc
version 2.3.2., on a 32-bit PowerPC (Apple).

Yes, the information I gave originally was from gdb,
which I'm only vaguely familiar with.  Here's
hopefully the backtrace that you requested:

--------begin backtrace

Program received signal SIGSEGV, Segmentation fault.
0x0fd9489c in strlen () from /lib/libc.so.6
(gdb) up
#1  0x0fd636bc in vfprintf () from /lib/libc.so.6
(gdb) up
#2  0x0fdef43c in vsyslog () from /lib/libc.so.6
(gdb) up
#3  0x00000000 in ?? ()
(gdb) up
#4  0x00000000 in ?? ()
(gdb) up
Previous frame identical to this frame (corrupt
stack?)
(gdb) bt
#0  0x0fd9489c in strlen () from /lib/libc.so.6
#1  0x0fd636bc in vfprintf () from /lib/libc.so.6
#2  0x0fdef43c in vsyslog () from /lib/libc.so.6
#3  0x00000000 in ?? ()
#4  0x00000000 in ?? ()

---------end bt

If I did this incorrectly, please let me know.

Things get strange when I run hostapd with valgrind
using the previously posted configuration file.  Just
to determine if hostapd is interacting with the
freeradius daemon, I have radiusd running in a
separate terminal in debug mode, so that I can watch
it interact with requests.  Normally, when I run
hostapd (simply from the command line or through gdb),
hostapd does not interact with radiusd.  However,
running hostapd with valgrind, hostapd starts to
communicate with radiusd, and, if I'm not mistaken, it
makes the connection.  Here's the valgrind session:

-----begin valgrind -----
anima:/home/chadlich# valgrind /usr/local/bin/hostapd
/etc/hostapd/wpaeap 
==19408== Memcheck, a memory error detector for
ppc-linux.
==19408== Copyright (C) 2002-2005, and GNU GPL'd, by
Julian Seward et al.
==19408== Using valgrind-2.4.1-ppc, a program
supervision framework for ppc-linux.
==19408== Copyright (C) 2000-2005, and GNU GPL'd, by
Julian Seward et al.
==19408== For more details, rerun with: -v
==19408== 
Configuration file: /etc/hostapd/wpaeap
madwifi_set_iface_flags: dev_up=0
==19408== Conditional jump or move depends on
uninitialised value(s)
==19408==    at 0xFFBB894: memcmp
(mac_replace_strmem.c:325)
==19408==    by 0x10004878: hostapd_setup_interface
(hostapd.c:464)
==19408==    by 0x10004FD0: main (hostapd.c:808)
Using interface ath0 with hwaddr 00:0f:cb:b1:bd:eb and
ssid 'ousia'
ath0: RADIUS Authentication server 127.0.0.1:1812
==19408== 
==19408== Conditional jump or move depends on
uninitialised value(s)
==19408==    at 0xFD184BC: vfprintf (in
/lib/libc-2.3.2.so)
==19408==    by 0xFDA4438: vsyslog (in
/lib/libc-2.3.2.so)
==19408==    by 0x10003A8C: hostapd_logger
(hostapd.c:155)
==19408==    by 0x100171E0: radius_change_server
(radius_client.c:713)
==19408==    by 0x100174E8: radius_client_init_auth
(radius_client.c:842)
==19408==    by 0x10017778: radius_client_init
(radius_client.c:932)
==19408==    by 0x10004690: hostapd_setup_interface
(hostapd.c:478)
==19408==    by 0x10004FD0: main (hostapd.c:808)
==19408== 
==19408== Conditional jump or move depends on
uninitialised value(s)
==19408==    at 0xFD19528: vfprintf (in
/lib/libc-2.3.2.so)
==19408==    by 0xFDA4438: vsyslog (in
/lib/libc-2.3.2.so)
==19408==    by 0x10003A8C: hostapd_logger
(hostapd.c:155)
==19408==    by 0x100171E0: radius_change_server
(radius_client.c:713)
==19408==    by 0x100174E8: radius_client_init_auth
(radius_client.c:842)
==19408==    by 0x10017778: radius_client_init
(radius_client.c:932)
==19408==    by 0x10004690: hostapd_setup_interface
(hostapd.c:478)
==19408==    by 0x10004FD0: main (hostapd.c:808)
==19408== 
==19408== Use of uninitialised value of size 4
==19408==    at 0xFD18FA8: vfprintf (in
/lib/libc-2.3.2.so)
==19408==    by 0xFDA4438: vsyslog (in
/lib/libc-2.3.2.so)
==19408==    by 0x10003A8C: hostapd_logger
(hostapd.c:155)
==19408==    by 0x100171E0: radius_change_server
(radius_client.c:713)
==19408==    by 0x100174E8: radius_client_init_auth
(radius_client.c:842)
==19408==    by 0x10017778: radius_client_init
(radius_client.c:932)
==19408==    by 0x10004690: hostapd_setup_interface
(hostapd.c:478)
==19408==    by 0x10004FD0: main (hostapd.c:808)
==19408== 
==19408== Conditional jump or move depends on
uninitialised value(s)
==19408==    at 0xFD18FB0: vfprintf (in
/lib/libc-2.3.2.so)
==19408==    by 0xFDA4438: vsyslog (in
/lib/libc-2.3.2.so)
==19408==    by 0x10003A8C: hostapd_logger
(hostapd.c:155)
==19408==    by 0x100171E0: radius_change_server
(radius_client.c:713)
==19408==    by 0x100174E8: radius_client_init_auth
(radius_client.c:842)
==19408==    by 0x10017778: radius_client_init
(radius_client.c:932)
==19408==    by 0x10004690: hostapd_setup_interface
(hostapd.c:478)
==19408==    by 0x10004FD0: main (hostapd.c:808)
==19408== 
==19408== Conditional jump or move depends on
uninitialised value(s)
==19408==    at 0xFD18C78: vfprintf (in
/lib/libc-2.3.2.so)
==19408==    by 0xFDA4438: vsyslog (in
/lib/libc-2.3.2.so)
==19408==    by 0x10003A8C: hostapd_logger
(hostapd.c:155)
==19408==    by 0x100171E0: radius_change_server
(radius_client.c:713)
==19408==    by 0x100174E8: radius_client_init_auth
(radius_client.c:842)
==19408==    by 0x10017778: radius_client_init
(radius_client.c:932)
==19408==    by 0x10004690: hostapd_setup_interface
(hostapd.c:478)
==19408==    by 0x10004FD0: main (hostapd.c:808)
==19408== 
==19408== Conditional jump or move depends on
uninitialised value(s)
==19408==    at 0xFD18ADC: vfprintf (in
/lib/libc-2.3.2.so)
==19408==    by 0xFDA4438: vsyslog (in
/lib/libc-2.3.2.so)
==19408==    by 0x10003A8C: hostapd_logger
(hostapd.c:155)
==19408==    by 0x100171E0: radius_change_server
(radius_client.c:713)
==19408==    by 0x100174E8: radius_client_init_auth
(radius_client.c:842)
==19408==    by 0x10017778: radius_client_init
(radius_client.c:932)
==19408==    by 0x10004690: hostapd_setup_interface
(hostapd.c:478)
==19408==    by 0x10004FD0: main (hostapd.c:808)
ath0: RADIUS Accounting server 127.0.0.1:1813
madwifi_set_ieee8021x: enabled=1
madwifi_configure_wpa: group key cipher=1
madwifi_configure_wpa: pairwise key ciphers=0xa
madwifi_configure_wpa: key management algorithms=0x1
madwifi_configure_wpa: rsn capabilities=0x0
madwifi_configure_wpa: enable WPA= 0x1
madwifi_set_iface_flags: dev_up=1
madwifi_set_privacy: enabled=1
==19408== 
==19408== Syscall param ioctl(generic) points to
uninitialised byte(s)
==19408==    at 0xFD9F8DC: tcgetattr (in
/lib/libc-2.3.2.so)
==19408==    by 0xFD9B118: isatty (in
/lib/libc-2.3.2.so)
==19408==    by 0xFD2FFC4: _IO_file_doallocate (in
/lib/libc-2.3.2.so)
==19408==    by 0xFD3E808: _IO_doallocbuf (in
/lib/libc-2.3.2.so)
==19408==    by 0xFD3D954: (within /lib/libc-2.3.2.so)
==19408==    by 0xFD3E9F4: _IO_sgetn (in
/lib/libc-2.3.2.so)
==19408==    by 0xFD30F78: fread (in
/lib/libc-2.3.2.so)
==19408==    by 0x1000DD64: hostapd_get_rand
(common.c:52)
==19408==    by 0x10019508: wpa_init (wpa.c:700)
==19408==    by 0x10004730: hostapd_setup_interface
(hostapd.c:507)
==19408==    by 0x10004FD0: main (hostapd.c:808)
==19408==  Address 0x349FE110 is on thread 1's stack
WPA: group state machine entering state GTK_INIT
GMK - hexdump(len=32): 9e f3 61 a6 09 6e 6a bc d2 80
c3 56 d5 0b bb d1 a2 3f af e2 6f 11 83 d1 a9 e3 a4 5f
9a 47 dc 9f
GTK - hexdump(len=32): 1b 41 eb 57 c2 4b fa f8 3b 65
95 e9 f0 ed 02 c1 9d b6 6a 9a 17 f3 29 3f be 73 9c 66
44 0f 48 3a
WPA: group state machine entering state SETKEYSDONE
madwifi_set_key: alg=TKIP addr=00:00:00:00:00:00
key_idx=1
RADIUS message: code=4 (Accounting-Request)
identifier=0 length=69
   Attribute 40 (Acct-Status-Type) length=6
      Value: 7
   Attribute 45 (Acct-Authentic) length=6
      Value: 1
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 30 (Called-Station-Id) length=25
      Value: '00-0F-CB-B1-BD-EB:ousia'
   Attribute 49 (Acct-Terminate-Cause) length=6
      Value: 11
Flushing old station entries
madwifi_sta_deauth: addr=ff:ff:ff:ff:ff:ff
reason_code=3
Deauthenticate all stations
l2_packet_receive - recvfrom: Network is down
RADIUS message: code=5 (Accounting-Response)
identifier=0 length=20
Signal 2 received - terminating
Flushing old station entries
madwifi_sta_deauth: addr=ff:ff:ff:ff:ff:ff
reason_code=3
Deauthenticate all stations
RADIUS message: code=4 (Accounting-Request)
identifier=1 length=69

------middle of valgrind session ----

Just from the look of things, the problem appears to
be around lines that read "Conditional jump or move
depends on uninitialised value(s)" Valgrind seem to
protect hostapd from completely crashing at these
instances, enabling hostapd to make the radius
connection.

Please note that the valgrind process stops at the
RADIUS message line above.  To 'continue' the program,
I press control-C. and get the remaining valgrind
output:

----final valgrind output -----
   Attribute 40 (Acct-Status-Type) length=6
      Value: 8
   Attribute 45 (Acct-Authentic) length=6
      Value: 1
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 30 (Called-Station-Id) length=25
      Value: '00-0F-CB-B1-BD-EB:ousia'
   Attribute 49 (Acct-Terminate-Cause) length=6
      Value: 11
madwifi_set_privacy: enabled=0
madwifi_set_ieee8021x: enabled=0
madwifi_set_iface_flags: dev_up=0
==19408== 
==19408== ERROR SUMMARY: 31 errors from 8 contexts
(suppressed: 7 from 1)
==19408== malloc/free: in use at exit: 0 bytes in 0
blocks.
==19408== malloc/free: 83 allocs, 83 frees, 29024
bytes allocated.
==19408== For counts of detected errors, rerun with:
-v
==19408== No malloc'd blocks -- no leaks are possible.

---end of valgrind output.

So what do you think after all this info?  Any ideas? 
Let me know if I need to run some further tests.

Thanks for your help,

Chad


--- Jouni Malinen <jkmaline at cc.hut.fi> wrote:

> On Sat, Jan 28, 2006 at 02:51:49PM -0800, Chad
> Meister wrote:
> 
> > After further investigation, I found that hostapd
> Seg
> > faults at line 135 on of hostapd.c.  The line
> > presumabably enters a log message and reads:
> > vsyslog(priority, format, ap).  In this case:
> > priority = 6
> > format = 0x1004fdd8 "ath0: RADIUS %s server %s:%d"
> > ap = {{gpr = 8 '\b', fpr = 0 '\0',
> overflow_arg_area =
> > 0x7f8002e8, reg_save_area = 0x7f800230}}
> > 
> > It then descends into libc.so.6 and gdb gives me
> the
> > following lines:
> > Program received signal SIGSEGV, Segmentation
> fault.
> > 0x0fd9489c in strlen () from /lib/libc.so.6
> 
> This sounds somewhat similar to an earlier report
> where C library code
> was causing a segmentation fault when called from
> hostapd_logger(). I
> have not been able to reproduce this and I don't
> know what could be
> going wrong here.
> 
> Which Linux distribution and which glibc version are
> you using? Could
> you please try running hostapd under valgrind? I'm
> assuming the data
> above is from gdb. Could you send full backtrace
> ('bt') and then
> function parameters by running 'up' couple of times?
> 
> -- 
> Jouni Malinen                                       
>     PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
> 






__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Hostap mailing list