[PATCH] wpa_supplicant: Don't process EAPOLs while disconnecting

Otcheretianski, Andrei andrei.otcheretianski at intel.com
Sun Mar 14 09:25:28 GMT 2021 

> Thanks, applied. However, I was unable to reproduce that NULL dereference
> by trying to add calls to
> eapol_sm_invalidate_cached_session() in inconvenient places. Can you
> please provide more details on that crash and which pointer is being
> dereferenced? I'd like to add more protection against unexpected cases, but
> cannot do that here since I could not figure out where this NULL
> dereferencing could have happened.

Hi,
I was able to reproduce it rerunning eap_tls_errors() several times..
Here's the stack trace:

1615712557.476359: WPA_TRACE: eloop SIGSEGV - START
1615712557.476676: [1]: /home/tester/devel/iwlwifi-hostap/tests/hwsim/../../wpa_supplicant/wpa_supplicant(+0x708d0) [0x55ca0fdcd8d0]
1615712557.476699:      eloop_sigsegv_handler() ../src/utils/eloop.c:123
1615712557.476709: [2]: /lib/x86_64-linux-gnu/libc.so.6(+0x3ef20) [0x7f2a23cfef20]
1615712557.476723: [3]: /home/tester/devel/iwlwifi-hostap/tests/hwsim/../../wpa_supplicant/wpa_supplicant(+0x15c369) [0x55ca0feb9369]
1615712557.476734:      sm_EAP_SUCCESS_Enter() ../src/eap_peer/eap.c:1072
1615712557.476746: [4]: /home/tester/devel/iwlwifi-hostap/tests/hwsim/../../wpa_supplicant/wpa_supplicant(eap_peer_sm_step+0x346) [0x55ca0feba206]
1615712557.476757:      eap_peer_sm_step_idle() ../src/eap_peer/eap.c:1152
1615712557.476765:      eap_peer_sm_step_local() ../src/eap_peer/eap.c:1280
1615712557.476773:      sm_EAP_Step() ../src/eap_peer/eap.c:1365
1615712557.476781:      eap_peer_sm_step() ../src/eap_peer/eap.c:2237
1615712557.476791: [5]: /home/tester/devel/iwlwifi-hostap/tests/hwsim/../../wpa_supplicant/wpa_supplicant(eapol_sm_step+0x13c) [0x55ca0feb69dc]
1615712557.476802:      eapol_sm_step() ../src/eapol_supp/eapol_supp_sm.c:999
1615712557.476812: [6]: /home/tester/devel/iwlwifi-hostap/tests/hwsim/../../wpa_supplicant/wpa_supplicant(eapol_sm_rx_eapol+0x138) [0x55ca0feb7428]
1615712557.476840:      eapol_sm_rx_eapol() ../src/eapol_supp/eapol_supp_sm.c:1293
1615712557.476852: [7]: /home/tester/devel/iwlwifi-hostap/tests/hwsim/../../wpa_supplicant/wpa_supplicant(wpa_supplicant_rx_eapol+0x3d5) [0x55ca0ff6f1a5]
1615712557.476862:      wpa_supplicant_rx_eapol() wpa_supplicant.c:4894
1615712557.476873: [8]: /home/tester/devel/iwlwifi-hostap/tests/hwsim/../../wpa_supplicant/wpa_supplicant(wpa_supplicant_event+0xbf3) [0x55ca0ff829e3]
1615712557.476884:      wpa_supplicant_event() events.c:5223
1615712557.476895: [9]: /home/tester/devel/iwlwifi-hostap/tests/hwsim/../../wpa_supplicant/wpa_supplicant(process_bss_event+0x358) [0x55ca0ffa9f88]
1615712557.476905:      drv_event_eapol_rx() ../src/drivers/driver.h:6068
1615712557.476913:      nl80211_control_port_frame() ../src/drivers/driver_nl80211_event.c:2792
1615712557.476920:      process_bss_event() ../src/drivers/driver_nl80211_event.c:3164
1615712557.476930: [10]: /lib/x86_64-linux-gnu/libnl-3.so.200(nl_recvmsgs_report+0x3cc) [0x7f2a2500ac1c]
1615712557.476941: [11]: /lib/x86_64-linux-gnu/libnl-3.so.200(nl_recvmsgs+0x9) [0x7f2a2500b049]
1615712557.476954: [12]: /home/tester/devel/iwlwifi-hostap/tests/hwsim/../../wpa_supplicant/wpa_supplicant(+0x232cab) [0x55ca0ff8fcab]
1615712557.476966:      send_and_recv() ../src/drivers/driver_nl80211.c:450
1615712557.476978: [13]: /home/tester/devel/iwlwifi-hostap/tests/hwsim/../../wpa_supplicant/wpa_supplicant(wpa_driver_nl80211_mlme+0xcf) [0x55ca0ff9c9af]
1615712557.476988:      wpa_driver_nl80211_mlme() ../src/drivers/driver_nl80211.c:3577
1615712557.476999: [14]: /home/tester/devel/iwlwifi-hostap/tests/hwsim/../../wpa_supplicant/wpa_supplicant(+0x240a40) [0x55ca0ff9da40]
1615712557.477010:      wpa_driver_nl80211_deauthenticate() ../src/drivers/driver_nl80211.c:3635
1615712557.477021: [15]: /home/tester/devel/iwlwifi-hostap/tests/hwsim/../../wpa_supplicant/wpa_supplicant(wpa_supplicant_deauthenticate+0x1e7) [0x55ca0ff71da7]
1615712557.477033:      memset() usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
1615712557.477043:      wpa_supplicant_deauthenticate() wpa_supplicant.c:4022
1615712557.477051: WPA_TRACE: eloop SIGSEGV - END

The full log is attached.

Thanks,
Andrei
> 
> --
> Jouni Malinen                                            PGP id EFC895FA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eap_tls_errors.log0
Type: application/octet-stream
Size: 280740 bytes
Desc: eap_tls_errors.log0
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20210314/cefdf721/attachment-0001.obj>

More information about the Hostap mailing list