[PATCH]Double free on WPS error case

Jouni Malinen j at w1.fi
Fri Jan 30 14:19:42 EST 2009


On Fri, Jan 30, 2009 at 06:42:59PM +0900, Masashi Honma wrote:

> On "wpas_wps_init function" error case, "wps" area will be freed. But "wpas_wps_deinit" will free the identical area too on the trailing process.

How would wpas_wps_deinit() know what to free in the error case? The wps
pointer is lost when returning from wpas_wps_init() on all error paths.
I do not see a code path that would result in freeing the struct
wps_context data twice.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list