From 7efc7f66b1d63b3bbb99d9176f6f68c4d1fc6327 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Tue, 17 Jun 2014 01:55:36 +0300
Subject: [PATCH] TDLS: Fix TPK M1 error case (CID 68214)

Commit 342bce63cdb375bc64ce1cbcdb9e6f48acdea1e3 introduced a possibility
of a NULL pointer dereference on the error path if a new peer entry
fails to get added (i.e., memory allocation failure). Fix that by
skipping the wpa_tdls_peer_free() call if necessary.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/rsn_supp/tdls.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index 14139ba9e..59ed2c92d 100644
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -1920,7 +1920,8 @@ skip_rsn_check:
 error:
 	wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken,
 			    status);
-	wpa_tdls_peer_free(sm, peer);
+	if (peer)
+		wpa_tdls_peer_free(sm, peer);
 	return -1;
 }