From ab41595f3524e397107c82213ed5b1cac8ce09bf Mon Sep 17 00:00:00 2001 From: Moshe Benji Date: Sun, 15 Dec 2013 10:50:07 +0200 Subject: [PATCH] wpa_supplicant: Fix crash when terminating all interfaces In wpa_supplicant_terminate_proc(), while iterating and terminating interfaces, after an interface is terminated, we can no longer access its memory as it is no longer valid and causes a crash. Fix this by saving the pointer to the next interface before freeing the current one to avoid accessing an invalid memory location. Signed-hostap: Moshe Benji --- wpa_supplicant/wpa_supplicant.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index f25f546ca..897974b6f 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -725,6 +725,7 @@ void wpa_supplicant_terminate_proc(struct wpa_global *global) #ifdef CONFIG_WPS struct wpa_supplicant *wpa_s = global->ifaces; while (wpa_s) { + struct wpa_supplicant *next = wpa_s->next; #ifdef CONFIG_P2P if (wpa_s->p2p_group_interface != NOT_P2P_GROUP_INTERFACE || (wpa_s->current_ssid && wpa_s->current_ssid->p2p_group)) @@ -732,7 +733,7 @@ void wpa_supplicant_terminate_proc(struct wpa_global *global) #endif /* CONFIG_P2P */ if (wpas_wps_terminate_pending(wpa_s) == 1) pending = 1; - wpa_s = wpa_s->next; + wpa_s = next; } #endif /* CONFIG_WPS */ if (pending)