Subject: bin/32537: bringing down network interface exposes bugs in wpa_supplicant(8)
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Lubomir Sedlacik <salo@Xtrmntr.org>
List: netbsd-bugs
Date: 01/15/2006 20:15:00
>Number: 32537
>Category: bin
>Synopsis: bringing down network interface exposes bugs in wpa_supplicant(8)
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Jan 15 20:15:00 +0000 2006
>Originator: Lubomir Sedlacik
>Release: NetBSD 3.99.11 Mon Nov 21 20:53:00 CET 2005
>Environment:
System: NetBSD 3.99.11 Mon Nov 21 20:53:00 CET 2005
Architecture: i386
Machine: i386
>Description:
bringing down network interface while wpa_supplicant(8) is running exposes
multiple double-free() problems:
# wpa_supplicant -d -d -i iwi0 -c /etc/wpa_supplicant.conf
...
# ifconfig iwi0 down
RTM_IFINFO: Interface 'iwi0' DOWN
Configured interface was removed.
select: Bad file descriptor
wpa_driver_bsd_del_key: keyidx=0
wpa_driver_bsd_del_key: keyidx=1
wpa_driver_bsd_del_key: keyidx=2
wpa_driver_bsd_del_key: keyidx=3
wpa_driver_bsd_set_wpa: enabled=0
wpa_driver_bsd_set_wpa_internal: wpa=0 privacy=0
wpa_driver_bsd_set_drop_unencrypted: enabled=0
wpa_driver_bsd_set_countermeasures: enabled=0
No keys have been configured - skip key clearing
wpa_driver_bsd_set_wpa_internal: wpa=1 privacy=1
wpa_supplicant in free(): warning: page is already free.
wpa_supplicant in free(): warning: chunk is already free.
wpa_supplicant in free(): warning: chunk is already free.
wpa_supplicant in free(): warning: page is already free.
>How-To-Repeat:
run wpa_supplicant(8),
bring the network interface down
>Fix:
n/a