[PATCH] BSS: Fix use-after-realloc
Eliad Peller
eliad at wizery.com
Mon Mar 5 09:34:44 EST 2012
On Mon, Mar 5, 2012 at 4:22 PM, Jouni Malinen <j at w1.fi> wrote:
> On Mon, Mar 05, 2012 at 12:30:15PM +0200, Eliad Peller wrote:
>> After reallocation of the bss struct, current_bss
>> wasn't updated and could hold an invalid pointer
>> (which might get dereferenced later).
>>
>> Update current_bss if the pointer was changed.
>
> Thanks for catching this!
>
>> diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
>> @@ -333,6 +333,8 @@ static void wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
>> res->ie_len + res->beacon_ie_len);
>> bss->ie_len = res->ie_len;
>> bss->beacon_ie_len = res->beacon_ie_len;
>> + if (wpa_s->current_bss == bss)
>> + wpa_s->current_bss = nbss;
>
> This is broken.. bss == nbss here. I would assume you wanted to do that
> just before the "bss = nbss;" line.
>
err...
you are right of course.
thanks for catching this! :)
do you want me to resend or can you just fix and apply it?
Eliad.
More information about the HostAP
mailing list