[PATCH] Use priority list instead of global for PNO

Jouni Malinen j at w1.fi
Thu Feb 12 08:29:57 EST 2015


On Tue, Feb 10, 2015 at 10:32:23AM -0800, Dmitry Shmidt wrote:
> diff --git a/wpa_supplicant/scan.c b/wpa_supplicant/scan.c
> @@ -2009,9 +2009,11 @@ int wpas_start_pno(struct wpa_supplicant *wpa_s)
>                                         sizeof(struct wpa_driver_scan_filter));
>         i = 0;
> -       ssid = wpa_s->conf->ssid;
> -       while (ssid) {
> +       prio = 0;
> +       ssid = wpa_s->conf->pssid[prio];
> +       while (ssid && (prio < wpa_s->conf->num_prio)) {

> @@ -2028,7 +2030,10 @@ int wpas_start_pno(struct wpa_supplicant *wpa_s)
> -               ssid = ssid->next;
> +               if (ssid->pnext)
> +                       ssid = ssid->pnext;
> +               else
> +                       ssid = wpa_s->conf->pssid[++prio];

It looks like other cases of iterating through ssid->pnext pointers are
using a separate for loop to go through all the prio values (e.g., see
wpa_supplicant_pick_new_network()). Those would allow the
wpa_s->conf->pssid[] array to have a NULL pointer in it. This does not
seem to happen currently, so this is not of that much concern on its own
and the single loop here could be made to work. However, it looks like
the final loop through this would read beyond the end of the pssid[]
array. The while condition would stop that ssid pointer from being used,
but if I understood the implementation here correctly, that
pssid[++prio] would need to be protected with something like

	if (ssid->pnext)
		ssid = ssid->pnext;
	else if (prio + 1 == wpa_s->conf->num_prio)
		break;
	else
		ssid = wpa_s->conf->pssid[++prio];

to avoid potential issues (and analyzer warnings) on reading one pointer
beyond the allocation of the pssid[] array.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list