[PATCH] p2p: fix rogue pointer access

Jouni Malinen j at w1.fi
Wed Oct 19 17:34:45 EDT 2011


On Wed, Oct 19, 2011 at 10:30:13AM -0700, Angie Chinchilla wrote:
> From: Reinette Chatre <reinette.chatre at intel.com>
> When an interface is added a new wpa_supplicant struct is allocated and
> initialized, which includes P2P initialization. At this time the local
> (touching the wpa_supplicant struct) and global (touching the global
> p2p_data and p2p_config) P2P initialization is done. The global P2P
> initialization only needs to be done once and indeed the test "if
> (global->p2p)" is used to decide whether to do the global initialization or
> not.

Correct.

> A problem is that the global p2p_config structure contains a pointer to the
> newly created wpa_supplicant structure associated with the interface.

Incorrect.. The pointer in global P2P data is supposed to point to the
parent interface, i.e., the wpa_s instance that did indeed run
p2p_init().

> When
> an interface is created it thus needs to be ensured that the global P2P data
> structures point to the right interface information. Thus, when an interface
> is created the global P2P information needs to be updated to point to the new
> wpa_supplicant struct.

No, that is not the way this is supposed to work. The new interface here
is likely to be used for a P2P group and at the end of that group, it
will be removed. That would leave wrong pointers in the global P2P data.

> If the above is not done and a new interface is created, for example after
> a resume, then the P2P data will point to invalid memory and weird things
> happen.

There is something else here.. Are you removing the parent interface
somehow? That is not really supported currently and I guess it should
really result in removing all dynamic P2P interfaces and deinitializing
the global P2P data..

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list