From b908c50a819ed9ae443ac6e17a077add9e0f5326 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 1 Mar 2014 00:15:07 +0200
Subject: [PATCH] Clear hostapd bss entry to NULL on add-interface-failure

It looks like leaving behind the freed pointed at the end of the array
could end up in a crash triggered by double free in some cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/ap/hostapd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 75baec0e8..435a4e51b 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -1807,6 +1807,7 @@ int hostapd_add_iface(struct hapd_interfaces *interfaces, char *buf)
 			if (start_ctrl_iface_bss(hapd) < 0 ||
 			    (hapd_iface->state == HAPD_IFACE_ENABLED &&
 			     hostapd_setup_bss(hapd, -1))) {
+				hapd_iface->bss[hapd_iface->num_bss - 1] = NULL;
 				hapd_iface->conf->num_bss--;
 				hapd_iface->num_bss--;
 				wpa_printf(MSG_DEBUG, "%s: free hapd %p %s",