[PATCH] BSS: Fix use-after-realloc

Eliad Peller eliad at wizery.com
Mon Mar 5 09:34:44 EST 2012


On Mon, Mar 5, 2012 at 4:22 PM, Jouni Malinen <j at w1.fi> wrote:
> On Mon, Mar 05, 2012 at 12:30:15PM +0200, Eliad Peller wrote:
>> After reallocation of the bss struct, current_bss
>> wasn't updated and could hold an invalid pointer
>> (which might get dereferenced later).
>>
>> Update current_bss if the pointer was changed.
>
> Thanks for catching this!
>

>> diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
>> @@ -333,6 +333,8 @@ static void wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
>>                                 res->ie_len + res->beacon_ie_len);
>>                       bss->ie_len = res->ie_len;
>>                       bss->beacon_ie_len = res->beacon_ie_len;
>> +                     if (wpa_s->current_bss == bss)
>> +                             wpa_s->current_bss = nbss;
>
> This is broken.. bss == nbss here. I would assume you wanted to do that
> just before the "bss = nbss;" line.
>
err...
you are right of course.
thanks for catching this! :)

do you want me to resend or can you just fix and apply it?

Eliad.


More information about the HostAP mailing list