From bd6ec7f7cadd7f66ef613406caf6d7b2ae6ae431 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 8 Feb 2017 17:37:50 +0200 Subject: [PATCH] Fix MAC ACL query freeing on deinit hapd->acl_cache and hapd->acl_queries were not reset back to NULL in hostapd_acl_deinit() when cached results and pending ACL queries were freed. This left stale pointers to freed memory in hapd. While this was normally followed by freeing of the hapd data, it is possible to re-use that hapd when disabling and re-enabling an interface. That sequence could result in use of freed memory if done while there were cached results or pending ACL operations with a RADIUS server (especially, if that server did not reply). Fix this by setting hapd->acl_queries to NULL when the pending entries are freed. Signed-off-by: Jouni Malinen --- src/ap/ieee802_11_auth.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c index b89053736..1e0358cec 100644 --- a/src/ap/ieee802_11_auth.c +++ b/src/ap/ieee802_11_auth.c @@ -665,9 +665,11 @@ void hostapd_acl_deinit(struct hostapd_data *hapd) #ifndef CONFIG_NO_RADIUS hostapd_acl_cache_free(hapd->acl_cache); + hapd->acl_cache = NULL; #endif /* CONFIG_NO_RADIUS */ query = hapd->acl_queries; + hapd->acl_queries = NULL; while (query) { prev = query; query = query->next;