[PATCH] p2p: fix rogue pointer access

Angie Chinchilla angie.v.chinchilla at intel.com
Wed Oct 19 13:30:13 EDT 2011


From: Reinette Chatre <reinette.chatre at intel.com>

When an interface is added a new wpa_supplicant struct is allocated and
initialized, which includes P2P initialization. At this time the local
(touching the wpa_supplicant struct) and global (touching the global
p2p_data and p2p_config) P2P initialization is done. The global P2P
initialization only needs to be done once and indeed the test "if
(global->p2p)" is used to decide whether to do the global initialization or
not.

A problem is that the global p2p_config structure contains a pointer to the
newly created wpa_supplicant structure associated with the interface. When
an interface is created it thus needs to be ensured that the global P2P data
structures point to the right interface information. Thus, when an interface
is created the global P2P information needs to be updated to point to the new
wpa_supplicant struct.

If the above is not done and a new interface is created, for example after
a resume, then the P2P data will point to invalid memory and weird things
happen.

Signed-off-by: Reinette Chatre <reinette.chatre at intel.com>
Signed-off-by: Angie Chinchilla <angie.v.chinchilla at intel.com>
---
 src/p2p/p2p.c                   |   10 ++++++++++
 src/p2p/p2p.h                   |    2 ++
 wpa_supplicant/p2p_supplicant.c |    5 ++++-
 3 files changed, 16 insertions(+), 1 deletions(-)

diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index 259f854..c8a639d 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -2277,6 +2277,16 @@ int p2p_set_country(struct p2p_data *p2p, const char *country)
 	return 0;
 }
 
+void p2p_set_cb_ctx(struct p2p_data *p2p, void *cb_ctx)
+{
+	p2p->cfg->cb_ctx = cb_ctx;
+}
+
+void p2p_set_msg_ctx(struct p2p_data *p2p, void *msg_ctx)
+{
+	p2p->cfg->msg_ctx = msg_ctx;
+}
+
 
 void p2p_continue_find(struct p2p_data *p2p)
 {
diff --git a/src/p2p/p2p.h b/src/p2p/p2p.h
index 31e83d5..78a1f69 100644
--- a/src/p2p/p2p.h
+++ b/src/p2p/p2p.h
@@ -784,6 +784,8 @@ int p2p_set_sec_dev_types(struct p2p_data *p2p, const u8 dev_types[][8],
 			  size_t num_dev_types);
 
 int p2p_set_country(struct p2p_data *p2p, const char *country);
+void p2p_set_cb_ctx(struct p2p_data *p2p, void *cb_ctx);
+void p2p_set_msg_ctx(struct p2p_data *p2p, void *msg_ctx);
 
 
 /* Commands from upper layer management entity */
diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c
index 9af1839..01fae06 100644
--- a/wpa_supplicant/p2p_supplicant.c
+++ b/wpa_supplicant/p2p_supplicant.c
@@ -2171,8 +2171,11 @@ int wpas_p2p_init(struct wpa_global *global, struct wpa_supplicant *wpa_s)
 		/* Continue anyway; this is not really a fatal error */
 	}
 
-	if (global->p2p)
+	if (global->p2p) {
+		p2p_set_cb_ctx(global->p2p, wpa_s);
+		p2p_set_msg_ctx(global->p2p, wpa_s);
 		return 0;
+	}
 
 	if (wpa_s->drv_flags & WPA_DRIVER_FLAGS_P2P_MGMT) {
 		struct p2p_params params;
-- 
1.7.0.4



More information about the HostAP mailing list