[PATCH 6/7] TDLS: remove peer from global peer-list on free
arik at wizery.com
Tue Jun 17 10:50:44 EDT 2014
On Tue, Jun 17, 2014 at 5:21 PM, Jouni Malinen <j at w1.fi> wrote:
> On Tue, Jun 17, 2014 at 09:25:31AM +0300, Arik Nemtsov wrote:
>> No you're correct. Before, it wasn't a use-after-free per-se, since
>> data wasn't freed.
> OK, thanks.
>> My wording was not accurate. But I'd argue that it's nicer to use "tmp" anyway..
> Sure, that's fine. However, this patch introduces number of cases were
> freed memory is accessed. Have you tried running this against the hwsim
> test cases? I would strongly recommend doing so for new contributions
> especially when changing allocation style. As an example, wpa_supplicant
> for wlan1 would crash in ap_wpa2_tdls_concurrent_init. More generally,
> any path where wpa_tdls_disable_peer_link(sm, peer) is followed by
> anything dereferencing the peer point will break. There are multiple
> such cases in tdls.c.
You're right. I actually have an internal patch for that, but we'll do
some more testing to make sure we didn't miss any of the cases.
More information about the HostAP