diff mbox

wpa_supplicant ap mode crash

Message ID CAHs9HPqWTbh_T5epS2xqZp6ssNxNoVkLTRHhm2p7jiv6Xz9_Sg@mail.gmail.com
State Superseded
Headers show

Commit Message

David Friberg Dec. 30, 2015, 4:21 p.m. UTC 
Happens when I try to connect to my AP from a Windows machine.  Seems
a null check here may be needed?  Connection seems to work ok with the
patch below.






Here's a stack trace:


                                                 Stack trace of thread 1265:
                                                 #0
0x0000000000461622 p2p_group_assoc_resp_ie (wpa_supplicant)
                                                 #1
0x00000000004a40d7 send_assoc_resp (wpa_supplicant)
                                                 #2
0x00000000004a4479 handle_assoc (wpa_supplicant)
                                                 #3
0x00000000004a53bc ieee802_11_mgmt (wpa_supplicant)
                                                 #4
0x0000000000489f97 ap_mgmt_rx (wpa_supplicant)
                                                 #5
0x00000000004f158d wpa_supplicant_event (wpa_supplicant)
                                                 #6
0x000000000050bafd mlme_event_mgmt (wpa_supplicant)
                                                 #7
0x000000000050eba4 process_bss_event (wpa_supplicant)
                                                 #8
0x00007fc642f31e4c nl_recvmsgs_report (libnl-3.so.200)
                                                 #9
0x00007fc642f322b9 nl_recvmsgs (libnl-3.so.200)
                                                 #10
0x00000000004fa528 wpa_driver_nl80211_event_receive (wpa_supplicant)
                                                 #11
0x000000000042130b eloop_sock_table_dispatch (wpa_supplicant)
                                                 #12
0x0000000000421c40 eloop_sock_table_dispatch (wpa_supplicant)
                                                 #13
0x00000000004e9749 wpa_supplicant_run (wpa_supplicant)
                                                 #14
0x0000000000412c95 main (wpa_supplicant)
                                                 #15
0x00007fc642052610 __libc_start_main (libc.so.6)
                                                 #16
0x0000000000412d19 _start (wpa_supplicant)

Comments

Jouni Malinen Jan. 1, 2016, 3:22 p.m. UTC | #1 
On Wed, Dec 30, 2015 at 10:21:52AM -0600, David Friberg wrote:
> Happens when I try to connect to my AP from a Windows machine.  Seems
> a null check here may be needed?  Connection seems to work ok with the
> patch below.

>  struct wpabuf * p2p_group_assoc_resp_ie(struct p2p_group *group, u8 status)
>  {
>   struct wpabuf *resp;
>   u8 *rlen;
>   size_t extra = 0;
> 
> - if (group == NULL)
> - return NULL;

The group argument here is hapd->p2p_group and by default, that would
actually be initialized by wpa_supplicant. It looks like this will be
left NULL in case P2P support is disabled at runtime (e.g., with
"P2P_SET disabled 1"). I found couple of other places where a similar
NULL pointer dereference can happen if P2P is disabled at runtime. I'll
fix these in the caller functions, but the effect of that is practically
identical to the change here.
diff mbox

Patch

--- p2p_group.c 2015-12-30 10:10:11.897067677 -0600
+++ p2p_group.old 2015-12-30 10:09:45.054344177 -0600
@@ -641,19 +641,16 @@ 


 struct wpabuf * p2p_group_assoc_resp_ie(struct p2p_group *group, u8 status)
 {
  struct wpabuf *resp;
  u8 *rlen;
  size_t extra = 0;

- if (group == NULL)
- return NULL;
-
 #ifdef CONFIG_WIFI_DISPLAY
  if (group->wfd_ie)
  extra = wpabuf_len(group->wfd_ie);
 #endif /* CONFIG_WIFI_DISPLAY */

  if (group->p2p->vendor_elem &&
     group->p2p->vendor_elem[VENDOR_ELEM_P2P_ASSOC_RESP])
  extra += wpabuf_len(group->p2p->vendor_elem[VENDOR_ELEM_P2P_ASSOC_RESP]);