wpa_supplicant segfaults with ath

Sam Leffler sam at errno.com
Mon Aug 29 17:22:08 GMT 2005

Pascal Hofstee wrote:
> On Sun, 2005-08-28 at 23:12 -0700, Hanns Hartman wrote:
>>   This is my first time posting to the list so if you need more information 
>>let me know. also since I have no internet on my freebsd box it is difficult 
>>to get all of the verbose output. so here goes.
>>I am using freebsd6.0beta2 on an amd64. I am using the src tree from august 
>>I am trying to associate with a 2wire gateway that was supplied by sbc for 
>>my dsl.  I have set the gateway up with wpa-psk encription.
>>I am able to connect perfectly fine to this gateway with my ibm t42 but when 
>>I try to associate with the gateway using wpa_supplicant I get a 
>>segmentation fault after the program reaches "wpa: sending eapol-key 4/4"  
>>specifially it faults right after displaying "wpa: rsc - hexdump(len=6): 00 
>>00 00 00 00 00" while using option -d for output.
>>when running the supplicant in gdb I get program received SIGSEGV, 
>>segmentation fault.  0x000000080082d4d0 in strlen () from /lib/libc.so.6
>>if there is anything else needed that might help to explain the problem let 
>>me know.  I appoligize for not having more output to post at this time.
>>thanks for the help
> Thank you for posting this ... as it reminded me i should probably file
> a bug report on this. I recently tried to do some investigative work of
> my own hoping to find out why my if_ral interface kept acting up when i
> bumped into the exact same problem myself.
> i can tell you why the segfault happens .. though i am not entirely sure
> how it should be fixed properly.
> The problem you're experiencing is caused by the ether_ntoa(addr) call
> in /usr/src/usr.sbin/wpa/wpa_supplicant/driver_freebsd.c:280
> ether_ntoa expects a "const struct ether_addr" as it's parameter where
> in the code the parameter passed is a "const unsigned char*", further
> more in that same printf statement seq_len and key_len are being
> displayed using "%d" where this should be "%zu" since these are
> size_t's. The size_t construct happens a few more times in the code if i
> recall correctly.
> The actual crash you're experiencing though is caused by the faulty
> ether_ntoa argument.
> If somebody more knowledgable on this particular subject could have a
> closer look at what was actually intended here that would be
> appreciated.

A stack trace at the time of the segfault would be useful.  The type 
mismatches should not be an issue unless there are alignment problems. 
Please try the attached change which should correct any alignment issues.

-------------- next part --------------
Index: driver_freebsd.c
RCS file: /usr/ncvs/src/usr.sbin/wpa/wpa_supplicant/driver_freebsd.c,v
retrieving revision 1.7
diff -u -r1.7 driver_freebsd.c
--- driver_freebsd.c	13 Aug 2005 04:23:33 -0000	1.7
+++ driver_freebsd.c	29 Aug 2005 17:24:14 -0000
@@ -30,6 +30,7 @@
 #include <sys/socket.h>
 #include <net/if.h>
+#include <net/ethernet.h>
 #include <net80211/ieee80211.h>
 #include <net80211/ieee80211_crypto.h>
@@ -231,8 +232,11 @@
 	memset(&wk, 0, sizeof(wk));
 	if (addr != NULL &&
 	    bcmp(addr, "\xff\xff\xff\xff\xff\xff", IEEE80211_ADDR_LEN) != 0) {
+		struct ether_addr ea;
+		memcpy(&ea, addr, IEEE80211_ADDR_LEN);
 		wpa_printf(MSG_DEBUG, "%s: addr=%s keyidx=%d",
-			__func__, ether_ntoa(addr), key_idx);
+			__func__, ether_ntoa(&ea), key_idx);
 		memcpy(wk.idk_macaddr, addr, IEEE80211_ADDR_LEN);
 		wk.idk_keyix = (uint8_t) IEEE80211_KEYIX_NONE;
 	} else {
@@ -250,6 +254,7 @@
 	struct wpa_driver_bsd_data *drv = priv;
 	struct ieee80211req_key wk;
+	struct ether_addr ea;
 	char *alg_name;
 	u_int8_t cipher;
@@ -275,18 +280,19 @@
 		return -1;
+	memcpy(&ea, addr, IEEE80211_ADDR_LEN);
-		"%s: alg=%s addr=%s key_idx=%d set_tx=%d seq_len=%d key_len=%d",
-		__func__, alg_name, ether_ntoa(addr), key_idx, set_tx,
+		"%s: alg=%s addr=%s key_idx=%d set_tx=%d seq_len=%zu key_len=%zu",
+		__func__, alg_name, ether_ntoa(&ea), key_idx, set_tx,
 		seq_len, key_len);
 	if (seq_len > sizeof(u_int64_t)) {
-		wpa_printf(MSG_DEBUG, "%s: seq_len %d too big",
+		wpa_printf(MSG_DEBUG, "%s: seq_len %zu too big",
 			__func__, seq_len);
 		return -2;
 	if (key_len > sizeof(wk.ik_keydata)) {
-		wpa_printf(MSG_DEBUG, "%s: key length %d too big",
+		wpa_printf(MSG_DEBUG, "%s: key length %zu too big",
 			__func__, key_len);
 		return -3;

More information about the freebsd-current mailing list