Uncancelled timeout in driver_ndis

[Jouni Malinen]

On Mon, Aug 28, 2006 at 12:21:53PM +0200, Vincent Maurin wrote:

> I had memory error when I unplugged my usb wifi adapter while it was 
> associated.
> I had searched in the code, debugging and the problem was that some 
> timeout set by the ndis driver weren't cancelled when I removed the 
> disappeared interface, so when the timer expired, It try to access to an 
> destroyed wpa_supplicant structure.

> In wpa_driver_ndis_scan, this timeout is set

> 00580 eloop_register_timeout 
> <http://hostap.epitest.fi/wpa_supplicant/devel/eloop_8c.html#a12>(3, 0, 
> wpa_driver_ndis_scan_timeout, drv,
> 00581 drv->ctx);

> In wpa_driver_ndis_deinit, it's not cancelled

> I wonder if it's my use of wpa supplicant which causes this problem, or 
> if it can occur on normal use (then it's a bug)

Thanks for reporting this! This is indeed a bug in driver_ndis.c. If the
interface is removed for any reason during the scan, the timer is left
running. Your fix to eloop_unregister_timeout this in
wpa_driver_ndis_deinit() is the correct way of fixing this and I've
added that to the development branch.

-- 
Jouni Malinen                                            PGP id EFC895FA