From 1574fa1c6c56f49867e4ec644e5a2b30e1c607b1 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 27 Jun 2016 18:30:11 +0300 Subject: [PATCH] GAS: Fix double-free on an error path If radio_add_work() fails, gas_query_req() ended up freeing the query payload and returning an error. This resulted in also the caller trying to free the query payload. Fix this by not freeing the buffer within gas_query_req() in error case to be consistent with the other error cases. Signed-off-by: Jouni Malinen --- wpa_supplicant/gas_query.c | 1 + 1 file changed, 1 insertion(+) diff --git a/wpa_supplicant/gas_query.c b/wpa_supplicant/gas_query.c index c0c8c46bc..691de0345 100644 --- a/wpa_supplicant/gas_query.c +++ b/wpa_supplicant/gas_query.c @@ -774,6 +774,7 @@ int gas_query_req(struct gas_query *gas, const u8 *dst, int freq, if (radio_add_work(gas->wpa_s, freq, "gas-query", 0, gas_query_start_cb, query) < 0) { + query->req = NULL; /* caller will free this in error case */ gas_query_free(query, 1); return -1; }