Hi,
this is the logs resulting in the crash.
It can be seen that we have DFS-RADAR-DETECTED on wlan1, wlan1:
interface state ENABLED->DISABLED, and later wlan1 is reenabled.
Thus hostapd_disable_iface -> hostapd_free_hapd_data ->
wpabuf_free(hapd->time_adv) when wlan1 becomes disabled.
Later when wlan1 is re-enabled, hapd->time_adv points to a freed
pointer, as - different to e.g. hapd->radius - it is not cleared after
freeing.
Please find attached a patch that addresses this.
Regards,
M. Braun
1614623852.209013: wl1_2: STA xx:xx:xx:xx:xx:xx WPA: sending 1/4 msg of
4-Way Handshake
VLAN: Interface wl1_2.4096 configured to vlan 527 in br_vlan_add
VLAN (netlink): Interface wl1_2.4096 add to vlan 527 in _linux_br_vlan
VLAN: Interface wl1_2.4096 configured to vlan 527 in vlan_newlink_real
1614623852.219940: wl1_2: STA xx:xx:xx:xx:xx:xx WPA: received EAPOL-Key
frame (2/4 Pairwise)
1614623852.220845: wl1_2: STA xx:xx:xx:xx:xx:xx WPA: sending 3/4 msg of
4-Way Handshake
1614623852.236195: wl1_2: STA xx:xx:xx:xx:xx:xx WPA: received EAPOL-Key
frame (4/4 Pairwise)
wl1_2: AP-STA-CONNECTED xx:xx:xx:xx:xx:xx
1614623852.238279: wl1_2: STA xx:xx:xx:xx:xx:xx IEEE 802.1X: authorizing
port
1614623852.239046: wl1_2: STA xx:xx:xx:xx:xx:xx RADIUS: starting
accounting session E517AD69514481A6
1614623852.239385: wl1_2: RADIUS Sending RADIUS message to accounting
server
1614623852.240467: wl1_2: RADIUS Next RADIUS client retransmit in 3
seconds
1614623852.240820: wl1_2: STA xx:xx:xx:xx:xx:xx WPA: pairwise key
handshake completed (RSN)
wlan1: DFS-RADAR-DETECTED freq=5260 ht_enabled=1 chan_offset=1
chan_width=2 cf1=5270 cf2=0
wlan1: DFS-NEW-CHANNEL freq=5620 chan=124 sec_chan=1
DFS failed to schedule CSA (-22) - trying fallback
wlan1: AP-DISABLED
1614623852.294656: wlan1: RADIUS Sending RADIUS message to accounting
server
1614623852.295534: wlan1: RADIUS Next RADIUS client retransmit in 3
seconds
1614623852.296736: wl1_1: RADIUS Sending RADIUS message to accounting
server
1614623852.297268: wl1_1: RADIUS Next RADIUS client retransmit in 3
seconds
Failed to remove bssid to ft_bridge br-mgnt
1614623852.634842: wl1_2: STA xx:xx:xx:xx:xx:xx MLME:
MLME-DEAUTHENTICATE.indication(xx:xx:xx:xx:xx:xx, 1)
1614623852.635865: wl1_2: STA xx:xx:xx:xx:xx:xx RADIUS: updated TX/RX
stats: rx_bytes=1411 [0:0] tx_bytes=557 [0:0] bytes_64bit=1
1614623852.636632: wl1_2: RADIUS Sending RADIUS message to accounting
server
1614623852.637981: wl1_2: RADIUS Next RADIUS client retransmit in 3
seconds
1614623852.638568: wl1_2: STA xx:xx:xx:xx:xx:xx RADIUS: stopped
accounting session E517AD69514481A6
wl1_2: AP-STA-DISCONNECTED xx:xx:xx:xx:xx:xx
1614623853.044158: wl1_2: RADIUS Sending RADIUS message to accounting
server
1614623853.044909: wl1_2: RADIUS Next RADIUS client retransmit in 2
seconds
1614623853.247363: wl1_6: RADIUS Sending RADIUS message to accounting
server
1614623853.250053: wl1_6: RADIUS Next RADIUS client retransmit in 3
seconds
nl80211: Failed to remove interface wl1_6 from bridge br-wlan: Invalid
argument
nl80211: deinit ifname=wlan1 disabled_11b_rates=0
wlan1: interface state ENABLED->DISABLED
rfkill: Cannot open RFKILL control device
wlan1: interface state DISABLED->COUNTRY_UPDATE
wlan1: interface state COUNTRY_UPDATE->HT_SCAN
wlan0: DFS-RADAR-DETECTED freq=5260 ht_enabled=1 chan_offset=1
chan_width=2 cf1=5270 cf2=0
current_mode != IEEE80211A
wlan1: DFS-RADAR-DETECTED freq=5260 ht_enabled=1 chan_offset=1
chan_width=2 cf1=5270 cf2=0
wlan0: DFS-RADAR-DETECTED freq=5260 ht_enabled=1 chan_offset=1
chan_width=2 cf1=5270 cf2=0
current_mode != IEEE80211A
wlan1: DFS-RADAR-DETECTED freq=5260 ht_enabled=1 chan_offset=1
chan_width=2 cf1=5270 cf2=0
wlan0: DFS-RADAR-DETECTED freq=5260 ht_enabled=1 chan_offset=1
chan_width=2 cf1=5270 cf2=0
current_mode != IEEE80211A
wlan1: DFS-RADAR-DETECTED freq=5260 ht_enabled=1 chan_offset=1
chan_width=2 cf1=5270 cf2=0
wlan0: DFS-RADAR-DETECTED freq=5260 ht_enabled=1 chan_offset=1
chan_width=2 cf1=5270 cf2=0
current_mode != IEEE80211A
wlan1: DFS-RADAR-DETECTED freq=5260 ht_enabled=1 chan_offset=1
chan_width=2 cf1=5270 cf2=0
wlan0: DFS-RADAR-DETECTED freq=5260 ht_enabled=1 chan_offset=1
chan_width=2 cf1=5270 cf2=0
current_mode != IEEE80211A
wlan1: DFS-RADAR-DETECTED freq=5260 ht_enabled=1 chan_offset=1
chan_width=2 cf1=5270 cf2=0
wlan0: DFS-RADAR-DETECTED freq=5260 ht_enabled=1 chan_offset=1
chan_width=2 cf1=5270 cf2=0
current_mode != IEEE80211A
wlan1: interface state HT_SCAN->DFS
wlan1: DFS-CAC-START freq=5620 chan=124 sec_chan=1, width=0, seg0=0,
seg1=0, cac_time=60s
1614623880.597302: wl0_2: STA xx:xx:xx:xx:xx:xx RADIUS: updated TX/RX
stats: rx_bytes=259709 [0:0] tx_bytes=4886318 [0:0] bytes_64bit=1
1614623880.597809: wl0_2: RADIUS Sending RADIUS message to accounting
server
1614623880.598291: wl0_2: RADIUS Next RADIUS client retransmit in 3
seconds
1614623880.653695: wl0_2: RADIUS Received 20 bytes from RADIUS server
1614623880.654185: wl0_2: RADIUS Received RADIUS message
1614623880.654969: wl0_2: STA xx:xx:xx:xx:xx:xx RADIUS: Received RADIUS
packet matched with a pending request, round trip time 0.05 sec
wlan0: DFS-CAC-COMPLETED success=1 freq=5620 ht_enabled=1 chan_offset=1
chan_width=2 cf1=5630 cf2=0
current_mode != IEEE80211A
wlan1: DFS-CAC-COMPLETED success=1 freq=5620 ht_enabled=1 chan_offset=1
chan_width=2 cf1=5630 cf2=0
1614623915.642704: wlan1: RADIUS Accounting server 10.30.254.16:1813
1614623915.643888: wlan1: RADIUS Sending RADIUS message to accounting
server
1614623915.644632: wlan1: RADIUS Next RADIUS client retransmit in 3
seconds
10.30.1.94 2021-03-01T18:38:35+01:00 femap015e hostapd-capture:
10.30.1.94 2021-03-01T18:38:35+01:00 femap015e hostapd-capture: Program
received signal SIGSEGV, Segmentation fault.
Am 01.03.2021 22:56, schrieb michael-dev:
Hi,
I'm seeing the following and very similar backtrace in different
hostapd versions (based on 59e9794c or c7a9a574). I'll still need to
reproduce this with upstream (vanilla) hostapd, but was wondering, if
there is any hint on it yet? (as the locally applied patches do not
alter beacon setup or timeadv).
wpabuf.h:60 ist wpabuf_len, which is called from hostapd_eid_time_adv
on hapd->time_adv
#0 0x0fb5c4a8 in _wordcopy_fwd_dest_aligned () from /lib/libc.so.6
#1 0x0fb5c2e4 in memcpy () from /lib/libc.so.6
#2 0x10028d7c in (hapd=hapd@entry=0x106b07f0, eid=0x106cc6d9
<error reading variable>) at ../src/utils/wpabuf.h:60
#3 0x1002ab58 in ieee802_11_build_ap_params
(hapd=hapd@entry=0x106b07f0, params=0xbffd0d30,
params@entry=0xbffd0d40) at ../src/ap/beacon.c:1532
#4 0x1002afe8 in ieee802_11_set_beacon (hapd=hapd@entry=0x106b07f0)
at ../src/ap/beacon.c:1763
#5 0x100093b4 in hostapd_setup_bss (hapd=hapd@entry=0x106b07f0,
first=first@entry=0) at ../src/ap/hostapd.c:1377
#6 0x1000b500 in hostapd_setup_interface_complete_sync
(iface=0x106acf70, err=<optimized out>) at ../src/ap/hostapd.c:2089
#7 0x1000b5fc in hostapd_setup_interface_complete
(iface=iface@entry=0x106acf70, err=err@entry=0) at
../src/ap/hostapd.c:2260
#8 0x10082c48 in hostapd_dfs_complete_cac (iface=0x106acf70,
success=1, freq=5620, ht_enabled=<optimized out>,
chan_offset=<optimized out>, chan_width=2, cf1=5630, cf2=0) at
../src/ap/dfs.c:908
#9 0x10012388 in hostapd_event_dfs_cac_aborted (hapd=<optimized out>,
radar=<optimized out>) at ../src/ap/drv_callbacks.c:1713
#10 wpa_supplicant_event (ctx=0x106ad980,
event=EVENT_DFS_CAC_FINISHED, data=0xbffd1550) at
../src/ap/drv_callbacks.c:2004
#11 0x1006ce14 in mlme_event_dh_event (drv=<optimized out>,
bss=<optimized out>, tb=<optimized out>) at
../src/drivers/driver.h:6049
#12 do_process_drv_event (tb=0xbffd10c8, cmd=<optimized out>,
bss=<optimized out>) at ../src/drivers/driver_nl80211_event.c:2971
#13 process_global_event (msg=<optimized out>, arg=<optimized out>) at
../src/drivers/driver_nl80211_event.c:3030
#14 0x0fe3f988 in nl_cb_call (msg=<optimized out>, type=<optimized
out>, cb=<optimized out>) at ./include/netlink-private/netlink.h:144
#15 recvmsgs (cb=0x106b3390, sk=0x106b34b0) at lib/nl.c:1007
#16 nl_recvmsgs_report (sk=sk@entry=0x106b34b0,
cb=cb@entry=0x106b3390) at lib/nl.c:1058
#17 0x0fe3fc00 in nl_recvmsgs (sk=sk@entry=0x106b34b0,
cb=cb@entry=0x106b3390) at lib/nl.c:1082
#18 0x100545d8 in wpa_driver_nl80211_event_receive (sock=<optimized
out>, eloop_ctx=0x106b3390, handle=0x106b34b0) at
../src/drivers/driver_nl80211.c:1758
#19 0x1002d220 in eloop_sock_table_dispatch
(table=table@entry=0x100e1410 <eloop+8>, fds=fds@entry=0x106b8c70) at
../src/utils/eloop.c:603
#20 0x1002df9c in eloop_sock_table_dispatch (fds=<optimized out>,
table=0x100e1410 <eloop+8>) at ../src/utils/eloop.c:597
#21 eloop_run () at ../src/utils/eloop.c:1228
Regards,
M. Braun
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
commit cfad788eb8f4bdaf91888562fff6c624b960f534
Author: Michael Braun <michael-dev@xxxxxxxxxxxxx>
Date: Mon Mar 1 23:27:46 2021
Fix use after free with hapd->time_adv
When an interface is disabled, e.g. due to radar detected,
hapd->time_adv is freed by hostapd_free_hapd_data, but later
used by ieee802_11_build_ap_params calling hostapd_eid_time_adv.
Thus hapd->time_adv needs to be cleared as well.
Signed-off-by: Michael Braun <michael-dev@xxxxxxxxxxxxx>
Fixes: 39b97072b2
diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index e25717464..b4364277e 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -414,6 +414,7 @@ void hostapd_free_hapd_data(struct hostapd_data *hapd)
}
wpabuf_free(hapd->time_adv);
+ hapd->time_adv = NULL;
#ifdef CONFIG_INTERWORKING
gas_serv_deinit(hapd);
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
