wpa_supplicant segfault in large WLAN

Jouni Malinen j
Thu Sep 26 12:37:51 PDT 2013


On Thu, Sep 26, 2013 at 03:15:47PM -0400, Matt Causey wrote:
> (gdb) print bss
> $1 = (const struct wpa_bss *) 0x8ada590
> (gdb) print pos
> $2 = (const u8 *) 0x8ae6fff ""
> (gdb) print end
> $3 = (const u8 *) 0x8b38315 <Address 0x8b38315 out of bounds>

Lovely. This was indeed corruption somewhere else like I assumed.
bss->ie_len is something in the neighborhood of 375 kB. Things crashed
when reading about 50 kB into it.. ;-)  So yes, obviously that ie_len is
not correct. The difficult part is in figuring out when it become
incorrect, though. valgrind could help, but not necessarily.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list