Patchwork hostapd: Fix crash when scan fails.

login
register
mail settings
Submitter Ben Greear
Date Jan. 30, 2013, 5:02 a.m.
Message ID <1359522170-30246-1-git-send-email-greearb@candelatech.com>
Download mbox | patch
Permalink /patch/216764/
State Accepted
Commit 085b29f1fee518921c271f4ba48e54ce24dde38e
Headers show

Comments

Ben Greear - Jan. 30, 2013, 5:02 a.m.
From: Ben Greear <greearb@candelatech.com>

When scan failed, the wpa_driver_nl80211_scan method tried
to recursively call itself, but it passed in the wrong argument
for the void*, and so then it crashed accessing bad memory.

With this fix, hostapd still will not retry the scan later, but
at least it will exit cleanly and won't polute the file system
with core files.

Signed-off-by: Ben Greear <greearb@candelatech.com>
---
:100644 100644 810389d... 4ed3b93... M	src/drivers/driver_nl80211.c
 src/drivers/driver_nl80211.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)
Ben Greear - Jan. 30, 2013, 5:06 a.m.
On 01/29/2013 09:02 PM, greearb@candelatech.com wrote:
> From: Ben Greear <greearb@candelatech.com>
>
> When scan failed, the wpa_driver_nl80211_scan method tried
> to recursively call itself, but it passed in the wrong argument
> for the void*, and so then it crashed accessing bad memory.
>
> With this fix, hostapd still will not retry the scan later, but
> at least it will exit cleanly and won't polute the file system
> with core files.
>
> Signed-off-by: Ben Greear <greearb@candelatech.com>
> ---
> :100644 100644 810389d... 4ed3b93... M	src/drivers/driver_nl80211.c
>   src/drivers/driver_nl80211.c |    3 ++-
>   1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
> index 810389d..4ed3b93 100644
> --- a/src/drivers/driver_nl80211.c
> +++ b/src/drivers/driver_nl80211.c
> @@ -24,6 +24,7 @@
>   #include <linux/filter.h>
>   #include <linux/errqueue.h>
>   #include "nl80211_copy.h"
> +#include <assert.h>

Err, you don't need that part...was a leftover from the debugging
code I used to find the bug.

Thanks,
Ben

>
>   #include "common.h"
>   #include "eloop.h"
> @@ -3744,7 +3745,7 @@ static int wpa_driver_nl80211_scan(void *priv,
>   				    bss, NL80211_IFTYPE_STATION))
>   				goto nla_put_failure;
>
> -			if (wpa_driver_nl80211_scan(drv, params)) {
> +			if (wpa_driver_nl80211_scan(bss, params)) {
>   				wpa_driver_nl80211_set_mode(bss, drv->nlmode);
>   				goto nla_put_failure;
>   			}
>
Jouni Malinen - Feb. 3, 2013, 11:52 a.m.
On Tue, Jan 29, 2013 at 09:02:50PM -0800, greearb@candelatech.com wrote:
> When scan failed, the wpa_driver_nl80211_scan method tried
> to recursively call itself, but it passed in the wrong argument
> for the void*, and so then it crashed accessing bad memory.
> 
> With this fix, hostapd still will not retry the scan later, but
> at least it will exit cleanly and won't polute the file system
> with core files.

Thanks! Applied.

Patch

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 810389d..4ed3b93 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -24,6 +24,7 @@ 
 #include <linux/filter.h>
 #include <linux/errqueue.h>
 #include "nl80211_copy.h"
+#include <assert.h>
 
 #include "common.h"
 #include "eloop.h"
@@ -3744,7 +3745,7 @@  static int wpa_driver_nl80211_scan(void *priv,
 				    bss, NL80211_IFTYPE_STATION))
 				goto nla_put_failure;
 
-			if (wpa_driver_nl80211_scan(drv, params)) {
+			if (wpa_driver_nl80211_scan(bss, params)) {
 				wpa_driver_nl80211_set_mode(bss, drv->nlmode);
 				goto nla_put_failure;
 			}