Re: wpabuf overflow with WPS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi, guys
   I have figured out what's going a few days a ago on OpenWrt DD.
This issue is caused by the uninitialized ptr of wpa buffer, which is
introduced by the following commit:

2015-11-29 20:53 Jouni Malinen      o Fix memory leak on NFC DH
generation error path
Commit ID: 4104267e81b0a0acdb43f693a67f236b3237a719

In this patch, "wpabuf_free" is called in "dh5_init", which assumes
that ptr of wpa buffer is already set. But actually ptr of wpa buffer
may be still uninitialized.

I have generated the patch for these issue.



2016-05-10 15:18 GMT+08:00 Xue Liu <xue.liu@xxxxxxxxxxxx>:
> Hello
>
>
> On 28/04/16 19:06, Jouni Malinen wrote:
>>
>> On Thu, Apr 28, 2016 at 01:31:05PM +0200, Xue Liu wrote:
>>>
>>> I have removed the patch and generate a new hostapd program. Then I
>>> run the program with -d option, and there is no wpabuf overflow, but
>>> my Nexus 9 still can not make a connection with Clearfog board via
>>> WPS. Since the debug info is quite a lot. I put them in the
>>> attachment. Thank you.
>>
>> Thanks. This looks like something completely different. The client
>> device does not seem to even try to associate with the AP. It does go
>> through Authentication frame exchange, but then nothing.. The debug
>> patch should have no impact on this type of functionality, so it is a
>> bit difficult to say what caused this.
>>
>>> root@OpenWrt:~# hostapd -d hostapd.cfg
>>
>> Or are you maybe running this over a slow serial port connection? If so,
>> there will likely be a significant extra latency on operations and it
>> would be better to direct the output to a file with something like
>>
>> hostapd -dd hostapd.cfg > /tmp/hostapd.log
>>
> Yes. I am running hostapd over a serial port connection.
> I did another test last few days and I found the problem is not in the
> hostapd but in wps_supplicant. During the connection via WPS, the
> wps_supplicant has "Segmentation fault". I run wpa_supplicant with
> "/usr/sbin/wpa_supplicant -dd -P /var/run/wpa_supplicant-wlan0.pid -D
> nl80211 -i wlan0 -c wpa_supplicant-wlan0.conf -C /var/run/wpa_supplicant".
>
> In addition I compile the wpad with TARGET_CFLAGS += -ggdb3. I run "gdb
> /usr/sbin/wpa_supplicant" and then "run -dd -P
> /var/run/wpa_supplicant-wlan0.pid -D nl80211 -i wlan0 -c
> wpa_supplicant-wlan0.conf -C /var/run/wpa_supplicant“. When segmentation
> fault appears after "WPS: Generate new DH keys", I run "bt".
>
> In the attachment you can find the wpa_supplicant_gdb.log file and
> wps_supplicant-wlan0.conf file. It seems that there is no useful backtrace
> info.
>
> I would like also to say that in the OpenWRT I use wpad package to replace
> wpa_supplicant and hostapd. I am a newbie of it, and I don't know what is
> the differences.
>
> Regards,
>
> Xue Liu
>
> _______________________________________________
> Hostap mailing list
> Hostap@xxxxxxxxxxxxxxxxxxx
> http://lists.infradead.org/mailman/listinfo/hostap
>

Attachment: 0001-Fix-un-set-pointer-which-cause-segment-fault.patch
Description: Binary data

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap

[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux