segfault in parse_neighbor_report at src/station.c:1747

[Leonard Lausen <leonard@lausen.nl>]

Hi all,

connecting a laptop with Intel® Wi-Fi 6E AX210 to a Vodafone Wi-Fi 6
Station sometimes triggers a segfault with ell 0.49 and iwd 1.26 in
parse_neighbor_report at src/station.c:1747. Earlier versions of ell and
iwd also segfault. Please see below excerpts from gdb. I can share the
full coredump if helpful. In case you require any further information or
would like me to test a fix, please note I will only have access to this
Station until Thursday April 7th.

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000055f07250580e in parse_neighbor_report (station=station@entry=0x55f0725c8e50,
    reports=reports@entry=0x55f0725cc35b "4\025\354\250\037\231\317", <incomplete sequence \350>, reports_len=reports_len@entry=23,
    set=set@entry=0x7ffca3384ee0) at src/station.c:1747
1747                            cc = station->connected_bss->cc;
(gdb) bt
#0  0x000055f07250580e in parse_neighbor_report (station=station@entry=0x55f0725c8e50,
    reports=reports@entry=0x55f0725cc35b "4\025\354\250\037\231\317", <incomplete sequence \350>, reports_len=reports_len@entry=23,
    set=set@entry=0x7ffca3384ee0) at src/station.c:1747
#1  0x000055f07250928b in station_neighbor_report_cb (netdev=<optimized out>, err=0,
    reports=0x55f0725cc35b "4\025\354\250\037\231\317", <incomplete sequence \350>, reports_len=23, user_data=0x55f0725c8e50) at src/station.c:2481
#2  0x000055f07254f282 in frame_watch_unicast_notify (msg=<optimized out>, user_data=0x55f0725c8580) at src/frame-xchg.c:234
#3  0x00007f8a4b3cca19 in dispatch_unicast_watches () from /usr/lib64/libell.so.0
#4  0x00007f8a4b3ccad1 in process_unicast () from /usr/lib64/libell.so.0
#5  0x00007f8a4b3ccf0b in received_data () from /usr/lib64/libell.so.0
#6  0x00007f8a4b3c7692 in io_callback () from /usr/lib64/libell.so.0
#7  0x00007f8a4b3c5fe7 in l_main_iterate () from /usr/lib64/libell.so.0
#8  0x00007f8a4b3c612e in l_main_run () from /usr/lib64/libell.so.0
#9  0x00007f8a4b3c6461 in l_main_run_with_signal () from /usr/lib64/libell.so.0
#10 0x000055f0724f453b in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:600
(gdb) l
1742                                    util_address_to_string(info.addr),
1743                                    (int) info.channel_num, (int) info.oper_class,
1744                                    info.md ? "MD set" : "MD not set");
1745
1746                    if (station->connected_bss->cc_present)
1747                            cc = station->connected_bss->cc;
1748
1749                    freq = station_freq_from_neighbor_report(cc, &info, &band);
1750                    if (!freq)
1751                            continue;
(gdb) info locals
info = {addr = "\354\250\037\231\317", <incomplete sequence \350>, reachable = 0 '\000', spectrum_mgmt = false, qos = false, apsd = false, rm = false,
  delayed_block_ack = false, immediate_block_ack = false, security = false, key_scope = false, md = false, ht = false, oper_class = 4 '\004',
  channel_num = 11 '\v', phy_type = 0 '\000', bss_transition_pref = 255 '\377', bss_transition_pref_present = true}
freq = <optimized out>
band = <optimized out>
cc = 0x0
iter = {max = 23, pos = 23, tlv = 0x55f0725cc35b "4\025\354\250\037\231\317", <incomplete sequence \350>, tag = 52, len = 21,
  data = 0x55f0725cc35d "\354\250\037\231\317", <incomplete sequence \350>}
count_md = 0
count_no_md = 0
freq_set_md = 0x55f0725d33f0
freq_set_no_md = 0x55f0725d5420
current_freq = 0
hs = 0x0
supported = 0x55f0725c4cc0
__func__ = "parse_neighbor_report"
(gdb) info args
station = 0x55f0725c8e50
reports = 0x55f0725cc35b "4\025\354\250\037\231\317", <incomplete sequence \350>
reports_len = 23
set = 0x7ffca3384ee0

Thank you
Leonard