From c61bc23aa28091e47166622ffd35b4178e99a823 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Tue, 6 Jan 2015 16:45:16 +0200
Subject: [PATCH] D-Bus: Fix byte array dict entry parser in out-of-memory case

entry->bytearray_value was left to point to freed memory in case
os_realloc_array() failed. This resulted in the following
wpa_dbus_dict_entry_clear() trying to free an already freed memory area.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 wpa_supplicant/dbus/dbus_dict_helpers.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/wpa_supplicant/dbus/dbus_dict_helpers.c b/wpa_supplicant/dbus/dbus_dict_helpers.c
index 317661a9b..c9615ad8b 100644
--- a/wpa_supplicant/dbus/dbus_dict_helpers.c
+++ b/wpa_supplicant/dbus/dbus_dict_helpers.c
@@ -700,7 +700,6 @@ static dbus_bool_t _wpa_dbus_dict_entry_get_byte_array(
 	if (!buffer)
 		return FALSE;
 
-	entry->bytearray_value = buffer;
 	entry->array_len = 0;
 	while (dbus_message_iter_get_arg_type(iter) == DBUS_TYPE_BYTE) {
 		char byte;
@@ -718,13 +717,13 @@ static dbus_bool_t _wpa_dbus_dict_entry_get_byte_array(
 			}
 			buffer = nbuffer;
 		}
-		entry->bytearray_value = buffer;
 
 		dbus_message_iter_get_basic(iter, &byte);
-		entry->bytearray_value[count] = byte;
+		buffer[count] = byte;
 		entry->array_len = ++count;
 		dbus_message_iter_next(iter);
 	}
+	entry->bytearray_value = buffer;
 	wpa_hexdump_key(MSG_MSGDUMP, "dbus: byte array contents",
 			entry->bytearray_value, entry->array_len);