>Number:         32537
>Category:       bin
>Synopsis:       bringing down network interface exposes bugs in wpa_supplicant(8)
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jan 15 20:15:00 +0000 2006
>Originator:     Lubomir Sedlacik
>Release:        NetBSD 3.99.11 Mon Nov 21 20:53:00 CET 2005
>Environment:
System: NetBSD 3.99.11 Mon Nov 21 20:53:00 CET 2005
Architecture: i386
Machine: i386
>Description:
bringing down network interface while wpa_supplicant(8) is running exposes
multiple double-free() problems:

# wpa_supplicant -d -d -i iwi0 -c /etc/wpa_supplicant.conf
...
# ifconfig iwi0 down

RTM_IFINFO: Interface 'iwi0' DOWN
Configured interface was removed.
select: Bad file descriptor
wpa_driver_bsd_del_key: keyidx=0
wpa_driver_bsd_del_key: keyidx=1
wpa_driver_bsd_del_key: keyidx=2
wpa_driver_bsd_del_key: keyidx=3
wpa_driver_bsd_set_wpa: enabled=0
wpa_driver_bsd_set_wpa_internal: wpa=0 privacy=0
wpa_driver_bsd_set_drop_unencrypted: enabled=0
wpa_driver_bsd_set_countermeasures: enabled=0
No keys have been configured - skip key clearing
wpa_driver_bsd_set_wpa_internal: wpa=1 privacy=1
wpa_supplicant in free(): warning: page is already free.
wpa_supplicant in free(): warning: chunk is already free.
wpa_supplicant in free(): warning: chunk is already free.
wpa_supplicant in free(): warning: page is already free.
 
>How-To-Repeat:
run wpa_supplicant(8),
bring the network interface down
>Fix:
n/a