Exit after one pin attempt about reaver-wps HOT 23 CLOSED

Dec 29 16:32:21 fedora kernel: [1446351.705655] reaver[27494]: segfault at 48 
ip 0000000000411206 sp 00007fff3d4b5960 error 4 in reaver[400000+3d000]

This is probably related to issue #6...what wireless card and driver are you 
using?

awus036h - rtl8187

Can you provide a core dump or valgrind log?

Same issue with Atheros 9285 useing ath9k driver

Just checked in some code that may be a fix for this. Can anyone check out the 
latest SVN code and see if the bug still exists?

I am also have this issue using ALFA AWUS036H(rtl8187). I'm assuming it's 
crashing because sometimes no output is displayed, indicating that the attempt 
was unsuccessful.

after one pIN in 1.1 ver

root@bt:/opt/wpa/reaver-1.1/src# reaver -i mon1 -b 00:1C:DF:99:EC:B4 -vv

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<[email protected]>

[+] Waiting for beacon from 00:1C:DF:99:EC:B4
[+] Switching mon1 to channel 1
[+] Associated with 00:1C:DF:99:EC:B4 (ESSID: belkin54g)
[+] Trying pin 64816807
Segmentation fault

valgrind --track-origins=yes ./reaver -i mon0 -b 00:1C:F0:C2:BF:27 -vv
==29147== Memcheck, a memory error detector
==29147== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==29147== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==29147== Command: ./reaver -i mon0 -b 00:1C:F0:C2:BF:27 -vv
==29147== 

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<[email protected]>

[+] Waiting for beacon from 00:1C:F0:C4:BF:26
[+] Switching mon0 to channel 10
[+] Associated with 00:1C:F0:C4:BF:26 (ESSID: Test)
==29147== Conditional jump or move depends on uninitialised value(s)
==29147==    at 0x4071C5: get_wps_data_element (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x406C97: parse_wps_tag (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x406B69: parse_wps_parameters (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x403578: is_wps_locked (80211.c:133)
==29147==    by 0x404BD7: crack (cracker.c:105)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147==  Uninitialised value was created by a stack allocation
==29147==    at 0x406B72: parse_wps_tag (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147== 
==29147== Invalid read of size 4
==29147==    at 0x410F52: wps_registrar_init (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x406077: initialize_wps_data (init.c:56)
==29147==    by 0x404BE2: crack (cracker.c:117)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147==  Address 0x4d1dfe4 is 0 bytes after a block of size 84 alloc'd
==29147==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29147==    by 0x40600E: initialize_wps_data (init.c:32)
==29147==    by 0x404BE2: crack (cracker.c:117)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147== 
==29147== Invalid read of size 8
==29147==    at 0x40F38E: wps_init (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x406099: initialize_wps_data (init.c:68)
==29147==    by 0x404BE2: crack (cracker.c:117)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147==  Address 0x4d1df48 is 56 bytes inside a block of size 60 alloc'd
==29147==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29147==    by 0x405FE1: initialize_wps_data (init.c:24)
==29147==    by 0x404BE2: crack (cracker.c:117)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147== 
==29147== Invalid read of size 4
==29147==    at 0x40F3C2: wps_init (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x406099: initialize_wps_data (init.c:68)
==29147==    by 0x404BE2: crack (cracker.c:117)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147==  Address 0x4d1df50 is 4 bytes after a block of size 60 alloc'd
==29147==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29147==    by 0x405FE1: initialize_wps_data (init.c:24)
==29147==    by 0x404BE2: crack (cracker.c:117)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147== 
[+] Trying pin 27176948
==29147== Invalid read of size 8
==29147==    at 0x411368: wps_registrar_get_pin (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x4121C6: wps_get_dev_password (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x413E29: wps_registrar_get_msg (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x406718: send_msg (send.c:80)
==29147==    by 0x405384: do_wps_exchange (exchange.c:66)
==29147==    by 0x404CC6: crack (cracker.c:160)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147==  Address 0x48 is not stack'd, malloc'd or (recently) free'd
==29147== 
==29147== 
==29147== Process terminating with default action of signal 11 (SIGSEGV)
==29147==  Access not within mapped region at address 0x48
==29147==    at 0x411368: wps_registrar_get_pin (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x4121C6: wps_get_dev_password (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x413E29: wps_registrar_get_msg (in 
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==    by 0x406718: send_msg (send.c:80)
==29147==    by 0x405384: do_wps_exchange (exchange.c:66)
==29147==    by 0x404CC6: crack (cracker.c:160)
==29147==    by 0x402460: main (wpscrack.c:80)
==29147==  If you believe this happened as a result of a stack
==29147==  overflow in your program's main thread (unlikely but
==29147==  possible), you can try to increase the size of the
==29147==  main thread stack using the --main-stacksize= flag.
==29147==  The main thread stack size used in this run was 8388608.
==29147== 
==29147== HEAP SUMMARY:
==29147==     in use at exit: 155,143 bytes in 11,025 blocks
==29147==   total heap usage: 11,085 allocs, 60 frees, 157,789 bytes allocated
==29147== 
==29147== LEAK SUMMARY:
==29147==    definitely lost: 54,915 bytes in 11,007 blocks
==29147==    indirectly lost: 10,322 bytes in 6 blocks
==29147==      possibly lost: 0 bytes in 0 blocks
==29147==    still reachable: 89,906 bytes in 12 blocks
==29147==         suppressed: 0 bytes in 0 blocks
==29147== Rerun with --leak-check=full to see details of leaked memory
==29147== 
==29147== For counts of detected and suppressed errors, rerun with: -v
==29147== ERROR SUMMARY: 18 errors from 5 contexts (suppressed: 2 from 2)
Segmentation fault (core dumped)

Tried revision 12, problem still arising.

Looks like there are some unhandled NULL pointer exceptions. Added null checks 
to the latest check in, try now.

Just tried revision 14. Sometimes it gives "[!] WARNING: Receive timeout 
occurred" and sometimes it exits with nothing.

just tried revision 14 tries 1 pin and segfaults

[+] Trying pin 97035473
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[+] Trying pin 97035473
[!] WARNING: Last message not processed properly, reverting state to previous 
message
[+] Trying pin 97035473

revision 15

as of revision 16 the segfault is cleared..

i am trying with some SSID but what is get is...
[+] Waiting for beacon from 74:EA:3A:D5:E3:3A
[+] Switching mon0 to channel 1
[+] Associated with 74:EA:3A:D5:E3:3A (ESSID: Gecevi)
[+] Trying pin 71951249
[+] Trying pin 71951249
[+] Trying pin 71951249
[+] Trying pin 71951249
[+] Trying pin 71951249
[!] WARNING: Receive timeout occurred
[+] Trying pin 71951249
[!] WARNING: Receive timeout occurred
[+] 0.00% complete @ 0 seconds/attempt
[+] Trying pin 71951249
[!] WARNING: Receive timeout occurred
[+] Trying pin 71951249
[+] Trying pin 71951249

but again nothing happens..

/reaver -i mon0 -b 74:EA:3A:B9:E3:B0 -vv

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<[email protected]>

[+] Waiting for beacon from 74:EA:3A:B9:E3:B0
[+] Switching mon0 to channel 11
[+] Associated with 74:EA:3A:B9:E3:B0 (ESSID: RADDY)
[+] Trying pin 04781530
[!] WARNING: Receive timeout occurred
[+] Trying pin 04781530
[!] WARNING: Receive timeout occurred
[+] Trying pin 04781530
[!] WARNING: Receive timeout occurred
[+] Trying pin 04781530
[!] WARNING: Receive timeout occurred
[+] Trying pin 04781530
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[+] Trying pin 04781530
^C

I am also getting the same output as comment 15 and 16.

Actually the svn 16 again core dumped..
My first try was with Backtrack 5 on x64bit and it does not segfault but was 
only trying same PIn..
However on x64 Fedora 16 svn 16 
i got:

/reaver -i mon0 -b 70:71:BC:26:EE:C0 -vv

Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<[email protected]>

[+] Waiting for beacon from 70:71:BC:26:EE:C0
[+] Switching mon0 to channel 2
[+] Switching mon0 to channel 3
[+] Switching mon0 to channel 1
[+] Associated with 70:71:BC:26:EE:C0 (ESSID: fe5f4c)
[+] Trying pin 98850471
Segmentation fault (core dumped)

DMESG:


[ 1862.958153] reaver[5202] general protection ip:40f3df sp:7fff32cc7ca0 
error:0 in reaver[400000+3d000]

after 
debuginfo-install glibc-2.14.90-21.x86_64 libpcap-1.1.1-4.fc16.x86_64

(gdb) backtrace 
#0  0x000000000040f3df in wps_init ()
#1  0x00000000004060a1 in initialize_wps_data () at init.c:72
#2  0x0000000000404be3 in crack () at cracker.c:117
#3  0x0000000000402461 in main (argc=6, argv=<optimized out>) at wpscrack.c:80

[deleted comment]

The latest code (r20) seems to have fixed these issues. Please check out the 
lastet code and verify.

Issues 5 & 6 are the same; more comments have been happening on issue #6, so 
rolling this into #6.