DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

P2P: Clean wpa_s->last_ssid when removing a temporary group network

Browse source 
wpa_supplicant could crash due to dereferencing freed memory in a corner
case. When a reestablished P2P GO group gets removed because the
hardware mode is not supported when switching from 2.4 to 5 GHz. Group
removal in wpas_p2p_group_delete() forget to clean wpa_s->last_ssid due
to the missing wpas_notify_network_removed() call before removing the
network with wpa_config_remove_network().

That could cause a crash when flushing old BSSs which age out in
wpa_bss_flush_by_age() which uses wpa_s->last_ssid in some cases.

Fix this by invoking wpas_notify_network_removed() to clean
wpa_s->last_ssid when removing a temporary P2P group network.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Xin Deng 2023-07-10 23:18:38 -07:00 committed by Jouni Malinen
parent fe72afe713
commit 47a65ccbfd
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
wpa_supplicant/p2p_supplicant.c
View file

@ -1085,6 +1085,7 @@ static int wpas_p2p_group_delete(struct wpa_supplicant *wpa_s,
* Likewise, we don't send out network removed signals for such
* network objects.
*/
wpas_notify_network_removed(wpa_s, ssid);
wpa_config_remove_network(wpa_s->conf, id);
wpa_supplicant_clear_status(wpa_s);
wpa_supplicant_cancel_sched_scan(wpa_s);