Fix external radio work debug printing on removal
work->type was pointing to the allocated work->ctx buffer and the debug print in radio_work_free() ended up using freed memory if a started external radio work was removed as part of FLUSH command operations. Fix this by updating work->type to point to a constant string in case the dynamic version gets freed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
		
							parent
							
								
									f260ce4be8
								
							
						
					
					
						commit
						7d1007a674
					
				
					 1 changed files with 7 additions and 0 deletions
				
			
		|  | @ -7268,6 +7268,13 @@ static void wpas_ctrl_radio_work_cb(struct wpa_radio_work *work, int deinit) | ||||||
| 			eloop_cancel_timeout(wpas_ctrl_radio_work_timeout, | 			eloop_cancel_timeout(wpas_ctrl_radio_work_timeout, | ||||||
| 					     work, NULL); | 					     work, NULL); | ||||||
| 
 | 
 | ||||||
|  | 		/*
 | ||||||
|  | 		 * work->type points to a buffer in ework, so need to replace | ||||||
|  | 		 * that here with a fixed string to avoid use of freed memory | ||||||
|  | 		 * in debug prints. | ||||||
|  | 		 */ | ||||||
|  | 		work->type = "freed-ext-work"; | ||||||
|  | 		work->ctx = NULL; | ||||||
| 		os_free(ework); | 		os_free(ework); | ||||||
| 		return; | 		return; | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
		Loading…
	
		Reference in a new issue
	
	 Jouni Malinen
						Jouni Malinen