hostapd: Make sure hapd->drv_priv gets cleared on driver deinit
Couple of code paths in hostapd.c could have left hapd->drv_priv pointing to memory that was freed in driver_nl80211.c when a secondary BSS interface is removed. This could result in use of freed memory and segfault when the next driver operation (likely during interface deinit/removal). Fix this by clearing hapd->drv_priv when there is reason to believe that the old value is not valid within the driver wrapper anymore. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
438e13339d
commit
d92bdf9602
1 changed files with 10 additions and 1 deletions
|
|
@ -284,6 +284,13 @@ static void hostapd_free_hapd_data(struct hostapd_data *hapd)
|
|||
"Failed to remove BSS interface %s",
|
||||
hapd->conf->iface);
|
||||
hapd->interface_added = 1;
|
||||
} else {
|
||||
/*
|
||||
* Since this was a dynamically added interface, the
|
||||
* driver wrapper may have removed its internal instance
|
||||
* and hapd->drv_priv is not valid anymore.
|
||||
*/
|
||||
hapd->drv_priv = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -1617,8 +1624,10 @@ void hostapd_interface_deinit_free(struct hostapd_iface *iface)
|
|||
hostapd_interface_deinit(iface);
|
||||
wpa_printf(MSG_DEBUG, "%s: driver=%p drv_priv=%p -> hapd_deinit",
|
||||
__func__, driver, drv_priv);
|
||||
if (driver && driver->hapd_deinit && drv_priv)
|
||||
if (driver && driver->hapd_deinit && drv_priv) {
|
||||
driver->hapd_deinit(drv_priv);
|
||||
iface->bss[0]->drv_priv = NULL;
|
||||
}
|
||||
hostapd_interface_free(iface);
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue