SIGSEGV in Supplicant

Peer, Ilan ilan.peer
Mon Jun 1 03:44:38 PDT 2015 

Hi,

It is possible that in this flow, there was a pending query that was not started yet, so when gas_query_deinit() flow was executed and gas_query_free() was called, the 'query' object was freed, but without having the radio work removed. Thus, later, when all the radio works of the interface were removed, gas_query_start_cb() is called, which in turn called gas_query_free() which tried to access query->list which resulted with a segfault.

Can you please check if the attached patch fixes things? (I did not test it ...)

Regards,

Ilan.

> -----Original Message-----
> From: hostap-bounces at lists.shmoo.com [mailto:hostap-
> bounces at lists.shmoo.com] On Behalf Of abdoulaye berthe
> Sent: Monday, June 01, 2015 11:06
> To: hostap at lists.shmoo.com
> Cc: mikael.kanstrup at sonymobile.com; Abdoulaye Berthe
> Subject: SIGSEGV in Supplicant
> 
> Hi,
> 
> We have experienced a supplicant crash in dl_list_del(?). We have
> disassemble the supplicant binary used and we got the following call
> stack:
> 
> gas_query_free
> radio_remove_works (from this one the call back gas_query_start_cb is
> called) wpa_supplicant_deinit_iface wpa_supplicant_remove_iface
> 
> the lines around the crash:
> 
> 05-15 19:36:29.373 1484 1484 I wpa_supplicant: wlan0: GAS-QUERY-DONE
> addr=74:91:1a:10:eb:59 dialog_token=2 freq=2422 status_code=0
> result=TIMEOUT
> 05-15 19:36:29.373 1484 1484 I wpa_supplicant: wlan0: Starting ANQP fetch
> for 74:91:1a:50:eb:58
> 05-15 19:36:29.374 1484 1484 I wpa_supplicant: wlan0: GAS-QUERY-START
> addr=74:91:1a:50:eb:58 dialog_token=3 freq=2422
> 05-15 19:36:29.471 1484 1484 I wpa_supplicant: wlan0: CTRL-EVENT-SCAN-
> STARTED
> 05-15 19:36:30.056 1484 1484 I wpa_supplicant: p2p0: CTRL-EVENT-
> TERMINATING
> 05-15 19:36:30.124 1484 1484 I wpa_supplicant: wlan0: GAS-QUERY-DONE
> addr=74:91:1a:50:eb:58 dialog_token=3 freq=2422 status_code=0
> result=DELETED_AT_DEINIT
> 05-15 19:36:30.124 1484 1484 I wpa_supplicant: wlan0: ANQP fetch
> completed
> 05-15 19:36:30.124 1484 1484 I wpa_supplicant: wlan0:
> INTERWORKING-NO-MATCH No network with matching credentials found
> 05-15 19:36:30.124 1484 1484 F libc : Fatal signal 11 (SIGSEGV), code 1, fault
> addr 0x4 in tid 1484 (wpa_supplicant)
> 
> Could it be due to an attempt to delete the head list twice with dl_list_del ?
> 
> Cheers
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-GAS-Remove-all-radio-works-before-calling-gas_query_.patch
Type: application/octet-stream
Size: 1040 bytes
Desc: 0001-GAS-Remove-all-radio-works-before-calling-gas_query_.patch
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20150601/9ec12ab2/attachment-0001.obj>

More information about the Hostap mailing list