From 8597ebdbd44dd4dfb680a17a1d71c183377a0223 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 3 Feb 2014 13:24:50 +0200 Subject: [PATCH] Fix hostapd segfault on beacon hint event Commit 795baf773f6d53bae3cfae4df6edda63e5022344 ('hostapd: Filter channel list updated events after country code change') uses the EVENT_CHANNEL_LIST_CHANGED data pointer, but it updated only one of the callers to provide that data. NL80211_CMD_REG_BEACON_HINT event was still sending the event without the initiator data and resulted in NULL pointer dereference, e.g., if a scan was run while hostapd was running and the driver was in world roaming state and enabled a channel for active scans. Signed-hostap: Jouni Malinen --- src/drivers/driver.h | 1 + src/drivers/driver_nl80211.c | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/drivers/driver.h b/src/drivers/driver.h index 2f4536ee6..7ad857616 100644 --- a/src/drivers/driver.h +++ b/src/drivers/driver.h @@ -47,6 +47,7 @@ enum reg_change_initiator { REGDOM_SET_BY_USER, REGDOM_SET_BY_DRIVER, REGDOM_SET_BY_COUNTRY_IE, + REGDOM_BEACON_HINT, }; /** diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c index 81f20b376..5323e99c0 100644 --- a/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c @@ -3000,8 +3000,10 @@ static void do_process_drv_event(struct i802_bss *bss, int cmd, break; case NL80211_CMD_REG_BEACON_HINT: wpa_printf(MSG_DEBUG, "nl80211: Regulatory beacon hint"); + os_memset(&data, 0, sizeof(data)); + data.channel_list_changed.initiator = REGDOM_BEACON_HINT; wpa_supplicant_event(drv->ctx, EVENT_CHANNEL_LIST_CHANGED, - NULL); + &data); break; case NL80211_CMD_NEW_STATION: nl80211_new_station_event(drv, tb);