Hrm, that's never good. Well, short of actually having your xsupplicant config
(when I run xsupplicant, it just presents me with usage messages...), there are
a few things I can do to see if it alleviates the issue.

1. Update to xsupplicant-1.2.1
2. Patch-fix all the warnings that gcc4 throws (a lot of signed/unsigned errors)

So... in xsupplicant-1.2.1-1 (which should now be built in the buildsystem),
both of those items are done. Please test it and see if it does the same thing.

If it doesn't, please close this bug, but if it does, please attach your configs.

Ok, I'll update and try again Tuesday morning when I have access to the network
I need xsupplicant for.  I'll be sure to let you know how it works out.

This turned out to be 1.2.1-4. Stupid docbook. :)

I updated but the network was down.  Will try again tomorrow.

Still get a buffer overflow error:

[root@windu ~]# xsupplicant -f -c /home/jwboyer/xsupplicant.conf -i eth0
Your card is currently set for wireless network "XXX".  Looking for a config.
*** buffer overflow detected ***: xsupplicant terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xb00c45]
xsupplicant[0x8069a77]
xsupplicant[0x806a16f]
xsupplicant[0x806a621]
xsupplicant[0x806a6c6]
xsupplicant[0x806a82e]
xsupplicant[0x806bdda]
xsupplicant[0x804b0bd]
xsupplicant[0x804b243]
/lib/libc.so.6(__libc_start_main+0xdf)[0xa37d5f]
xsupplicant[0x804a7d1]
======= Memory map: ========
001b8000-001ba000 r-xp 00000000 03:03 1219863    /lib/libcom_err.so.2.1
001ba000-001bb000 rwxp 00001000 03:03 1219863    /lib/libcom_err.so.2.1
001de000-001e0000 r-xp 00000000 03:03 907641     /usr/lib/libkrb5support.so.0.0
001e0000-001e1000 rwxp 00001000 03:03 907641     /usr/lib/libkrb5support.so.0.0
001e3000-00206000 r-xp 00000000 03:03 907642     /usr/lib/libk5crypto.so.3.0
00206000-00207000 rwxp 00023000 03:03 907642     /usr/lib/libk5crypto.so.3.0
00209000-00278000 r-xp 00000000 03:03 907643     /usr/lib/libkrb5.so.3.2
00278000-0027b000 rwxp 0006e000 03:03 907643     /usr/lib/libkrb5.so.3.2
00308000-0031f000 r-xp 00000000 03:03 907644     /usr/lib/libgssapi_krb5.so.2.2
0031f000-00320000 rwxp 00017000 03:03 907644     /usr/lib/libgssapi_krb5.so.2.2
0037e000-00476000 r-xp 00000000 03:03 1219864    /lib/libcrypto.so.0.9.7f
00476000-00488000 rwxp 000f8000 03:03 1219864    /lib/libcrypto.so.0.9.7f
00488000-0048b000 rwxp 00488000 00:00 0
0048d000-004c2000 r-xp 00000000 03:03 1219865    /lib/libssl.so.0.9.7f
004c2000-004c5000 rwxp 00035000 03:03 1219865    /lib/libssl.so.0.9.7f
004cd000-004ce000 r-xp 004cd000 00:00 0
00a05000-00a1f000 r-xp 00000000 03:03 1216050    /lib/ld-2.3.5.so
00a1f000-00a20000 r-xp 00019000 03:03 1216050    /lib/ld-2.3.5.so
00a20000-00a21000 rwxp 0001a000 03:03 1216050    /lib/ld-2.3.5.so
00a23000-00b46000 r-xp 00000000 03:03 1218183    /lib/libc-2.3.5.so
00b46000-00b48000 r-xp 00123000 03:03 1218183    /lib/libc-2.3.5.so
00b48000-00b4a000 rwxp 00125000 03:03 1218183    /lib/libc-2.3.5.so
00b4a000-00b4c000 rwxp 00b4a000 00:00 0
00b4e000-00b50000 r-xp 00000000 03:03 1218405    /lib/libdl-2.3.5.so
00b50000-00b51000 r-xp 00001000 03:03 1218405    /lib/libdl-2.3.5.so
00b51000-00b52000 rwxp 00002000 03:03 1218405    /lib/libdl-2.3.5.so
00b7b000-00b8d000 r-xp 00000000 03:03 905880     /usr/lib/libz.so.1.2.2.2
00b8d000-00b8e000 rwxp 00011000 03:03 905880     /usr/lib/libz.so.1.2.2.2
00ba4000-00bb3000 r-xp 00000000 03:03 1219856    /lib/libresolv-2.3.5.so
00bb3000-00bb4000 r-xp 0000e000 03:03 1219856    /lib/libresolv-2.3.5.so
00bb4000-00bb5000 rwxp 0000f000 03:03 1219856    /lib/libresolv-2.3.5.so
00bb5000-00bb7000 rwxp 00bb5000 00:00 0
00ca0000-00ca9000 r-xp 00000000 03:03 1219855    /lib/libgcc_s-4.0.1-20050727.so.1
00ca9000-00caa000 rwxp 00009000 03:03 1219855    /lib/libgcc_s-4.0.1-20050727.so.1
08047000-08083000 r-xp 00000000 03:03 900850     /usr/sbin/xsupplicant
08083000-08084000 rw-p 0003c000 03:03 900850     /usr/sbin/xsupplicant
08084000-08085000 rw-p 08084000 00:00 0
08c8b000-08cac000 rw-p 08c8b000 00:00 0          [heap]
b7fe8000-b7feb000 rw-p b7fe8000 00:00 0
b7ff8000-b7ffb000 rw-p b7ff8000 00:00 0
bfbe5000-bfbfb000 rw-p bfbe5000 00:00 0          [stack]
Aborted
[root@windu ~]# rpm -q xsupplicant
xsupplicant-1.2.1-4.fc4

Here's my config file.  NOTE: the network name has been changed

# This is an example configuration file for xsupplicant versions after 0.8b.

### GLOBAL SECTION

# network_list: defines all of the networks in this file which 
#      should be kept in memory and used.Comma delimited list or "all"
#      for keeping all defined configurations in memory. For efficiency,
#      keep only the networks you might roam to in memory.
#      To avoid errors, make sure your default network is always
#      in the network_list.  In general, you will want to leave this set to 
#      "all".

network_list = FOO
#network_list = default, test1, test2

# default_netname: some users may actually have a network named "default".
#      since "default" is a keyword in the network section below, you can
#      change which is to be used as the replacement for this keyword

default_netname = FOO
#default_netname = my_defaults

# destination: defines how Xsupplicant should determine the destination address
# that should be used for the 802.1X conversation.
#
# Valid Options are :
#    Auto - respond to source address from the last packet we saw.
#    Source - same as Auto
#    BSSID - Always answer to the BSSID of the AP we are associated to.
#    Multicast - always use the multicast address defined in 802.1X-2001.
#
#destination = auto

# When running in daemon, or non-foreground mode, you may want to have the
# output of the program.  So, define a log file here.  Each time XSupplicant
# is started, this file will be replaced.  So, there is no need to roll the
# log file.
logfile = /var/log/xsupplicant.log

# The auth_period, held_period, and max_starts modify the timers in the state
# machine.  (Please reference the 802.1x spec for info on how they are used.)
# For most people, there is no reason to define these values, as the defaults
# should work.

#auth_period = 30

#held_period = 30

#max_starts = 3

# The "default_interface" is the interface that will be used if one is not
# specified on the command line.  

#default_interface = eth1

# For most people, the default setting for "allmulti" will work just fine.  In
# some cases, wireless cards have been known to not work when ALLMULTI is 
# enabled.  (Such as certain Orinoco cards, with older drivers.)  If "allmulti"
# is set to "no", XSupplicant will not attempt to change the state of the 
# setting in the driver.  So, you should make sure to do an "ifconfig ethX
# -allmulti".

#allmulti = no

###  NETWORK SECTION
# The general format of the network section is a network name followed
# by a group of variables.

# Network names may contain the following characters: a-z, A-Z, 0-9, '-', 
# '_', '\', '/'
# Those interested in having an SSID with ANY character in it can use
# the ssid tag within the network clause. Otherwise, your ssid will
# be the name of the network.

## The default network is not a network itself. These values are 
## the default used for any network parameters not overridden 
## in another section. If it's not in your network configuration
## and not in your default, it won't work!!

FOO {
	type = wireless
	wireless_control = no
	allow_types = eap-leap

	identity = "jwboyer.xxx"

	eap-leap {
		username = "jwboyer.xx"
		password = "<removed>"
	}
}

can you install the matching debuginfo package? that will result in a much
better backtrace

Created attachment 118708 [details]
back trace from gdb run with debuginfo package installed

Here is a back trace from a gdb session with the debuginfo package installed

line 165-167 of cardif_linux_rtnetlink.c are:
            case SIOCGIWFREQ:
              memcpy(&freq, &iwe->u.freq, iwe->len);
              freq = freq/100;



that memcpy line is at fault here. "freq" is an unsigned int variable, and thus
4 bytes in size. It seems for some reason that iwe->len is bigger than 4.. which
then would overflow the "freq" variable.

Looks like really nasty code; why use memcpy to assign an "int" in the first place??

Created attachment 119025 [details]
latest backtrace

I updated to the latest xsupplicant.  No dice.	I still get the same backtrace.


[jwboyer@windu ~]$ rpm -qa | grep xsupplicant
xsupplicant-1.2.1-5.fc4
xsupplicant-debuginfo-1.2.1-5.fc4
[jwboyer@windu ~]$

This is the kernel I'm using, if that makes any difference:

[jwboyer@windu ~]$ uname -r
2.6.12-1.1447_FC4

I'm also using the airo wireless module.

In my setup (FC4 with madwifi drivers), xsupplicant is generating exactly the
same error. Now I'm not an expert in this field, but is it an idea to report
this bug upstream at the open1x-xsupplicant project? As far as I can see (and
again, I'm not an expert) this buffer overflow is just a general programming
error and will affect non-fedora users as well.

This is the case. I just hate to hand off bugs to upstream without at least
attempting to fix them. This bug is really a potential security vulnerability.
Fedora Core 4 (and rawhide) are using compiler flags to stop programs with
overflows from executing, so other users not using those compiler flags are
likely unaware of this bug.

Arjan, I tried to fix this myself, but it didn't work. Can you help me out?

I think this is a case of finding whoever wrote that code and finding out what
he really meant to write. That's a lot harder to reverse engineer from this...

(and I don't run crappy binary junk linked into my kernel so I can't reproduce
anyway)

(In reply to comment #14)
> 
> (and I don't run crappy binary junk linked into my kernel so I can't reproduce
> anyway)

Crappy binary junk?  I don't think I'm running crappy binary junk in my kernel
either...  Care to expand on that a bit?

I think he's referring to madwifi.

I contacted upstream about this issue today.

yeah I meant the binary only madwifi driver

The latest xsupplicant package seems to have fixed this.  I no longer get buffer
overflows.

Thanks!