Re: [PATCH v4 1/2] Move ownership of MAC address randomization mask to scan params

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Jun 27, 2019 at 04:22:01PM -0700, Eric Caruso wrote:
> This array can be freed either from the scan parameters or from
> clearing the MAC address randomization parameters from the
> wpa_supplicant struct. To make this ownership more clear, we have
> each struct own its own copy of the parameters.

This breaks random address use (e.g., results in failure in the hwsim
test case scan_random_mac) and opens a memory leak.

> diff --git a/wpa_supplicant/scan.c b/wpa_supplicant/scan.c
> +static int wpa_setup_mac_addr_rand_params(struct wpa_driver_scan_params *params,

> +	tmp = os_malloc(2 * ETH_ALEN);
> +	params->mac_addr = tmp;

That allocation is lost in some paths.

> @@ -169,7 +195,9 @@ static void wpas_trigger_scan_cb(struct wpa_radio_work *work, int deinit)
>  		return;
>  	}
>  
> -	if (wpas_update_random_addr_disassoc(wpa_s) < 0) {
> +	if (wpa_s->mac_addr_rand_enable & MAC_ADDR_RAND_SCAN)
> +		wpa_setup_mac_addr_rand_params(params, wpa_s->mac_addr_scan);
> +	else if (wpas_update_random_addr_disassoc(wpa_s) < 0) {

What is this trying to do and why? The commit message seems to imply
that this should not have any changes in behavior, but this looks like a
potential change.

>  	if ((wpa_s->mac_addr_rand_enable & MAC_ADDR_RAND_SCAN) &&
>  	    wpa_s->wpa_state <= WPA_SCANNING) {
> -		params.mac_addr_rand = 1;
> -		if (wpa_s->mac_addr_scan) {
> -			params.mac_addr = wpa_s->mac_addr_scan;
> -			params.mac_addr_mask = wpa_s->mac_addr_scan + ETH_ALEN;
> -		}
> +		wpa_setup_mac_addr_rand_params(&params, wpa_s->mac_addr_scan);
>  	}

This can result in params.mac_addr pointing to allocated memory that
does not get cleared when wpa_supplicant_scan() returns. I can fix this
easily, but I could not find easily why this patch breaks the test case
I use to confirm that scanning uses a random MAC address. As such, I
cannot apply this or the patch 2/2 since it depends on this patch.

The test failure:

START scan_random_mac 1/1
Exception: Real address used to transmit Probe Request frame
FAIL scan_random_mac 0.221036 2019-08-01 16:15:53.359258

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux