https://bugzilla.novell.com/show_bug.cgi?id=639111 https://bugzilla.novell.com/show_bug.cgi?id=639111#c9 Harald Koenig <koenig@linux.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|koenig@linux.de | --- Comment #9 from Harald Koenig <koenig@linux.de> 2010-09-15 08:53:51 UTC --- (In reply to comment #8)
Harald,
Could you download the sourcecode to debug it? I wanna make sure which function cause the stack overflow, iw_extract_event_stream or print_event_token?
You can comment the print_event_token first, then try again. Then try another one.
Is it convenient?
ACK! 1st: a plain "make" in the build dir made the problem vanish because then the gcc option "-fstack-protector" from the "rpm -bp ..." was missing :-( with -fstack-protector I was able to reproduce/debug and find the real problem: iw_hexdump() does not honor it's parameter "buflen" and thus trashes the stack when it gets called here case IWEVASSOCRESPIE: printf("Association Response IEs:%s\n", with buflen==128 and datalen==165 (so needing 330+1 bytes buffer space for the hex dump...) RTFM taught me that the snprintf() will return 2 even for size==0 or size<0 showing that the output was clipped if return >= size)! here is my patch to avoid a) any buffer overflow and b) show the whole hex dump for that AP packet (see below). -------------------------------------------------------------- wireless_tools.30 > diff -u iwevent.c{~,} --- iwevent.c~ 2008-05-16 01:18:52.000000000 +0200 +++ iwevent.c 2010-09-15 10:38:08.000000000 +0200 @@ -285,8 +285,10 @@ size_t i; char * pos = buf; - for(i = 0; i < datalen; i++) + for(i = 0; i < datalen; i++) { + if (buf + buflen - pos < 2+1) break; pos += snprintf(pos, buf + buflen - pos, "%02X", data[i]); + } return buf; } @@ -299,7 +301,7 @@ struct iw_range * iw_range, /* Range info */ int has_range) { - char buffer[128]; /* Temporary buffer */ + char buffer[512]; /* Temporary buffer */ char buffer2[30]; /* Temporary buffer */ char * prefix = (IW_IS_GET(event->cmd) ? "New" : "Set"); ------------------------------------------------------------- the correct output should look like this: 08:38:21.512101 wlan0 Set ESSID:"context" 08:38:21.746297 wlan0 Association Response IEs:010882848B962430486C32040C1218602D1A1C181AFFFFFF00000000000000D80007000000000000000000003D160B001700000000000000000000000000000000000000DD090010180212F4010000DD180050F2020101000003A4000027A4000042435E0062322F00DD1E00904C331C181AFFFF000000000000000000000000000000000000000000DD1A00904C340B001700000000000000000000000000000000000000 08:38:21.746470 wlan0 New Access Point/Cell address:00:21:29:D3:8C:86 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.