From e3b5bd81bdb666e13322248d18307317714bf461 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 23 Feb 2019 12:59:10 +0200
Subject: [PATCH] UBSan: Fix RRM beacon processing attempt without scan_info

Some driver interfaces (e.g., wext) might not include the
data->scan_info information and data could be NULL here. Do not try to
call the RRM handler in this case since that would dereference the NULL
pointer when determining where scan_info is located and could
potentially result in trying to read from unexpected location if RRM is
enabled with a driver interface that does not support it.

events.c:1907:59: runtime error: member access within null pointer of type 'union wpa_event_data'

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 wpa_supplicant/events.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index f2462d794..daca69cdb 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -1,6 +1,6 @@
 /*
  * WPA Supplicant - Driver event processing
- * Copyright (c) 2003-2017, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2003-2019, Jouni Malinen <j@w1.fi>
  *
  * This software may be distributed under the terms of the BSD license.
  * See README for more details.
@@ -1903,7 +1903,7 @@ static int _wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s,
 	if (sme_proc_obss_scan(wpa_s) > 0)
 		goto scan_work_done;
 
-	if (own_request &&
+	if (own_request && data &&
 	    wpas_beacon_rep_scan_process(wpa_s, scan_res, &data->scan_info) > 0)
 		goto scan_work_done;