[PATCH]Double free on WPS error case

Masashi Honma honma at ictec.co.jp
Fri Jan 30 04:42:59 EST 2009


Hello.

On "wpas_wps_init function" error case, "wps" area will be freed. But "wpas_wps_deinit" will free the identical area too on the trailing process.

Below is patch.

diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c
index 9b73601..8f4fe82 100644
--- a/wpa_supplicant/wps_supplicant.c
+++ b/wpa_supplicant/wps_supplicant.c
@@ -516,20 +516,17 @@ int wpas_wps_init(struct wpa_supplicant *wpa_s)
                pos = os_strchr(wpa_s->conf->device_type, '-');
                if (pos == NULL) {
                        wpa_printf(MSG_ERROR, "WPS: Invalid device_type");
-                       os_free(wps);
                        return -1;
                }
                pos++;
                if (hexstr2bin(pos, oui, 4)) {
                        wpa_printf(MSG_ERROR, "WPS: Invalid device_type OUI");
-                       os_free(wps);
                        return -1;
                }
                wps->dev.oui = WPA_GET_BE32(oui);
                pos = os_strchr(pos, '-');
                if (pos == NULL) {
                        wpa_printf(MSG_ERROR, "WPS: Invalid device_type");
-                       os_free(wps);
                        return -1;
                }
                pos++;
@@ -556,7 +553,6 @@ int wpas_wps_init(struct wpa_supplicant *wpa_s)
        wps->registrar = wps_registrar_init(wps, &rcfg);
        if (wps->registrar == NULL) {
                wpa_printf(MSG_DEBUG, "Failed to initialize WPS Registrar");
-               os_free(wps);
                return -1;
        }

Regards,
Masashi Honma.



More information about the HostAP mailing list