Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 05 Apr 2023 10:31:24 +0000
From:      bugzilla-noreply@freebsd.org
To:        wireless@FreeBSD.org
Subject:   [Bug 270649] hostapd and wpa_supplicant use uninitialized ptr if interface disappears
Message-ID:  <bug-270649-21060@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D270649

            Bug ID: 270649
           Summary: hostapd and wpa_supplicant use uninitialized ptr if
                    interface disappears
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: wireless
          Assignee: wireless@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

l2_packet_receive() in contrib/wpa/src/l2_packet/l2_packet_freebsd.c:

        const u_char *packet;

        if (pcap_next_ex(pcap, &hdr, &packet) =3D=3D -1) {
                wpa_printf(MSG_ERROR, "Error reading packet, has device
disappeared?");
                eloop_terminate();
        }

        if (!l2->rx_callback || !packet || hdr->caplen < sizeof(*ethhdr))
                return;

        ethhdr =3D (struct l2_ethhdr *) packet;
        l2->rx_callback(l2->rx_callback_ctx, ethhdr->h_source, buf, len);

Since packet is not initialized, and pcap_next_ex() doesn't set packet
if there's an error, packet can be left containing non-NULL garbage,
which l2->rx_callback() tries to use. This happens if the wlanX
interface is shut down with ifconfig destroy.

Here's a backtrace:

#0  ap_get_sta (hapd=3D0x412026b0, sta=3D0xc32fe8354dfa3e76 <error: Cannot =
access
memory at address 0xc32fe8354dfa3e76>)
    at /usr/rtm/symbsd/src/contrib/wpa/src/ap/sta_info.c:73
#1  0x000000000015eca0 in hostapd_event_eapol_rx (hapd=3D0x412026b0,
src=3D0xc32fe8354dfa3e76 <error: Cannot access memory at address
0xc32fe8354dfa3e76>,=20
    data=3D0xc32fe8354dfa3e7e <error: Cannot access memory at address
0xc32fe8354dfa3e7e>, data_len=3D224) at
/usr/rtm/symbsd/src/contrib/wpa/src/ap/drv_callbacks.c:1541
#2  wpa_supplicant_event (ctx=3D0x412026b0, event=3D<optimized out>,
data=3D<optimized out>) at
/usr/rtm/symbsd/src/contrib/wpa/src/ap/drv_callbacks.c:1938
#3  0x0000000000156850 in drv_event_eapol_rx (ctx=3D0x412026b0, src=3D<opti=
mized
out>, data=3D<optimized out>, data_len=3D<optimized out>)
    at /usr/rtm/symbsd/src/contrib/wpa/src/drivers/driver.h:6085
#4  handle_read (ctx=3D<optimized out>, src_addr=3D0xc32fe8354dfa3e76 <erro=
r:
Cannot access memory at address 0xc32fe8354dfa3e76>,=20
    buf=3D0xc32fe8354dfa3e7e <error: Cannot access memory at address
0xc32fe8354dfa3e7e>, len=3D224) at
/usr/rtm/symbsd/src/contrib/wpa/src/drivers/driver_bsd.c:1028
#5  0x0000000000180b78 in l2_packet_receive (sock=3D<optimized out>,
eloop_ctx=3D0x41203410, sock_ctx=3D<optimized out>)
    at /usr/rtm/symbsd/src/contrib/wpa/src/l2_packet/l2_packet_freebsd.c:102
#6  0x00000000001bace6 in eloop_sock_table_dispatch (fds=3D0x41209260,
table=3D<optimized out>) at /usr/rtm/symbsd/src/contrib/wpa/src/utils/eloop=
.c:603
#7  eloop_run () at /usr/rtm/symbsd/src/contrib/wpa/src/utils/eloop.c:1233
#8  0x000000000015784e in hostapd_global_run (ifaces=3D<optimized out>,
daemonize=3D<optimized out>, pid_file=3D<optimized out>)
    at /usr/rtm/symbsd/src/contrib/wpa/hostapd/main.c:445
#9  0x000000000015740a in main (argc=3D<optimized out>, argv=3D0x3fffffeb50=
) at
/usr/rtm/symbsd/src/contrib/wpa/hostapd/main.c:892

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-270649-21060>