From d92bdf96028e4f3ed115d5e1055be7061923f7f4 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 31 May 2014 17:11:04 +0300 Subject: [PATCH] hostapd: Make sure hapd->drv_priv gets cleared on driver deinit Couple of code paths in hostapd.c could have left hapd->drv_priv pointing to memory that was freed in driver_nl80211.c when a secondary BSS interface is removed. This could result in use of freed memory and segfault when the next driver operation (likely during interface deinit/removal). Fix this by clearing hapd->drv_priv when there is reason to believe that the old value is not valid within the driver wrapper anymore. Signed-off-by: Jouni Malinen --- src/ap/hostapd.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c index a4467cf0b..ed7330193 100644 --- a/src/ap/hostapd.c +++ b/src/ap/hostapd.c @@ -284,6 +284,13 @@ static void hostapd_free_hapd_data(struct hostapd_data *hapd) "Failed to remove BSS interface %s", hapd->conf->iface); hapd->interface_added = 1; + } else { + /* + * Since this was a dynamically added interface, the + * driver wrapper may have removed its internal instance + * and hapd->drv_priv is not valid anymore. + */ + hapd->drv_priv = NULL; } } @@ -1617,8 +1624,10 @@ void hostapd_interface_deinit_free(struct hostapd_iface *iface) hostapd_interface_deinit(iface); wpa_printf(MSG_DEBUG, "%s: driver=%p drv_priv=%p -> hapd_deinit", __func__, driver, drv_priv); - if (driver && driver->hapd_deinit && drv_priv) + if (driver && driver->hapd_deinit && drv_priv) { driver->hapd_deinit(drv_priv); + iface->bss[0]->drv_priv = NULL; + } hostapd_interface_free(iface); }