Clear cached extended_capa pointers on hapd_deinit() call
driver->hapd_deinit() is going to free the memory that the cached pointers are pointing to, so clear the pointers to avoid possibility of dereferencing used memory. It seemed to be possible to hit a code path using those fields by issuing a CHAN_SWITCH command on disabled hostapd interface in some cases. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
parent
c48f44e17c
commit
b9058266f0
|
@ -2486,8 +2486,12 @@ static void hostapd_deinit_driver(const struct wpa_driver_ops *driver,
|
||||||
wpa_printf(MSG_DEBUG, "%s:bss[%d]->drv_priv=%p",
|
wpa_printf(MSG_DEBUG, "%s:bss[%d]->drv_priv=%p",
|
||||||
__func__, (int) j,
|
__func__, (int) j,
|
||||||
hapd_iface->bss[j]->drv_priv);
|
hapd_iface->bss[j]->drv_priv);
|
||||||
if (hapd_iface->bss[j]->drv_priv == drv_priv)
|
if (hapd_iface->bss[j]->drv_priv == drv_priv) {
|
||||||
hapd_iface->bss[j]->drv_priv = NULL;
|
hapd_iface->bss[j]->drv_priv = NULL;
|
||||||
|
hapd_iface->extended_capa = NULL;
|
||||||
|
hapd_iface->extended_capa_mask = NULL;
|
||||||
|
hapd_iface->extended_capa_len = 0;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue