DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

hostapd: Make sure hapd->drv_priv gets cleared on driver deinit

Browse source 
Couple of code paths in hostapd.c could have left hapd->drv_priv
pointing to memory that was freed in driver_nl80211.c when a secondary
BSS interface is removed. This could result in use of freed memory and
segfault when the next driver operation (likely during interface
deinit/removal). Fix this by clearing hapd->drv_priv when there is
reason to believe that the old value is not valid within the driver
wrapper anymore.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-05-31 17:11:04 +03:00
parent 438e13339d
commit d92bdf9602
1 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/ap/hostapd.c
View file

@ -284,6 +284,13 @@ static void hostapd_free_hapd_data(struct hostapd_data *hapd)
"Failed to remove BSS interface %s", "Failed to remove BSS interface %s",
hapd->conf->iface); hapd->conf->iface);
hapd->interface_added = 1; hapd->interface_added = 1;
} else {
/*
* Since this was a dynamically added interface, the
* driver wrapper may have removed its internal instance
* and hapd->drv_priv is not valid anymore.
*/
hapd->drv_priv = NULL;
} }
} }
@ -1617,8 +1624,10 @@ void hostapd_interface_deinit_free(struct hostapd_iface *iface)
hostapd_interface_deinit(iface); hostapd_interface_deinit(iface);
wpa_printf(MSG_DEBUG, "%s: driver=%p drv_priv=%p -> hapd_deinit", wpa_printf(MSG_DEBUG, "%s: driver=%p drv_priv=%p -> hapd_deinit",
__func__, driver, drv_priv); __func__, driver, drv_priv);
if (driver && driver->hapd_deinit && drv_priv) if (driver && driver->hapd_deinit && drv_priv) {
driver->hapd_deinit(drv_priv); driver->hapd_deinit(drv_priv);
iface->bss[0]->drv_priv = NULL;
}
hostapd_interface_free(iface); hostapd_interface_free(iface);
} }