wpa_supplicant segfault in large WLAN

Matt Causey matt.causey
Fri Sep 27 06:47:23 PDT 2013 

On Fri, Sep 27, 2013 at 9:16 AM, Matt Causey <matt.causey at gmail.com> wrote:

> On Fri, Sep 27, 2013 at 9:13 AM, Jouni Malinen <j at w1.fi> wrote:
>
>> On Thu, Sep 26, 2013 at 09:37:54PM -0400, Matt Causey wrote:
>> > I can't seem to do anything that will cause this segfault to happen
>> > w/valgrind.  :-(  What do you think about this:
>> > ==25997== ERROR SUMMARY: 155711 errors from 129 contexts (suppressed: 27
>> > from 6)
>> >
>> > I've attached the full and compressed valgrind log, though it may end up
>> > being scrubbed by the server.
>>
>> Thanks! This is a good example where valgrind ends up hiding the
>> segfault when a program accesses freed memory. Such a bug is a critical
>> issue always so it does not really matter whether the program crashes or
>> not (with or without valgrind).
>>
>> I was able to reproduce this by replaying the scan results and the
>> configuration you were using. The issue is triggered by a removal of the
>> oldest BSS entry at a very inconvenient time and yes, this was very much
>> related to the large number of BSSes in the scan results. For this to
>> show up, you would need to have at least 200 BSSes that match a network
>> configuration block in the scan results. And well, you did have 739 such
>> BSSes.. ;-)
>>
>> This commit fixes the issue:
>>
>> http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=a3cbf82e6d2b494e4c5e87b4101af2f941482400
>>
>> In addition, while reviewing the implementation, I found another
>> potential issue that could result in somewhat similar problems. Though,
>> I don't think this should happen with nl80211 driver interface. Anyway,
>> the fix is here:
>>
>> http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=25b65a142dec4770a79f7a17867f0db93111f843
>>
>> Please let me know if these address the issues you were seeing.
>>
>
> I'll do it straight-away.  Thanks for all your help!  Shall I expect these
> patches to apply cleanly to the wpa_supplicant-2.0 release or should we
> migrate to hostap.git HEAD in our stack?
>
>
Nope - doesn't apply cleanly.  I'll pull the latest in git.

$ patch --strip 1 < ./dup_bssid.patch
patching file wpa_supplicant/bss.c
Hunk #1 FAILED at 625.
1 out of 1 hunk FAILED -- saving rejects to file wpa_supplicant/bss.c.rej
tc at box:~/dl/wpa_supplicant-2.0$ cat wpa_supplicant/bss.c.rej
***************
*** 625,632 ****
      bss = wpa_bss_get(wpa_s, res->bssid, ssid + 2, ssid[1]);
      if (bss == NULL)
          bss = wpa_bss_add(wpa_s, ssid + 2, ssid[1], res, fetch_time);
-     else
          bss = wpa_bss_update(wpa_s, bss, res, fetch_time);

      if (bss == NULL)
          return;
--- 625,642 ----
      bss = wpa_bss_get(wpa_s, res->bssid, ssid + 2, ssid[1]);
      if (bss == NULL)
          bss = wpa_bss_add(wpa_s, ssid + 2, ssid[1], res, fetch_time);
+     else {
          bss = wpa_bss_update(wpa_s, bss, res, fetch_time);
+         if (wpa_s->last_scan_res) {
+             unsigned int i;
+             for (i = 0; i < wpa_s->last_scan_res_used; i++) {
+                 if (bss == wpa_s->last_scan_res[i]) {
+                     /* Already in the list */
+                     return;
+                 }
+             }
+         }
+     }

      if (bss == NULL)
          return;

--
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20130927/7a8743d4/attachment.htm>

More information about the Hostap mailing list