[PATCH]Double free on WPS error case
Masashi Honma
honma
Fri Jan 30 01:42:59 PST 2009
Hello.
On "wpas_wps_init function" error case, "wps" area will be freed. But "wpas_wps_deinit" will free the identical area too on the trailing process.
Below is patch.
diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c
index 9b73601..8f4fe82 100644
--- a/wpa_supplicant/wps_supplicant.c
+++ b/wpa_supplicant/wps_supplicant.c
@@ -516,20 +516,17 @@ int wpas_wps_init(struct wpa_supplicant *wpa_s)
pos = os_strchr(wpa_s->conf->device_type, '-');
if (pos == NULL) {
wpa_printf(MSG_ERROR, "WPS: Invalid device_type");
- os_free(wps);
return -1;
}
pos++;
if (hexstr2bin(pos, oui, 4)) {
wpa_printf(MSG_ERROR, "WPS: Invalid device_type OUI");
- os_free(wps);
return -1;
}
wps->dev.oui = WPA_GET_BE32(oui);
pos = os_strchr(pos, '-');
if (pos == NULL) {
wpa_printf(MSG_ERROR, "WPS: Invalid device_type");
- os_free(wps);
return -1;
}
pos++;
@@ -556,7 +553,6 @@ int wpas_wps_init(struct wpa_supplicant *wpa_s)
wps->registrar = wps_registrar_init(wps, &rcfg);
if (wps->registrar == NULL) {
wpa_printf(MSG_DEBUG, "Failed to initialize WPS Registrar");
- os_free(wps);
return -1;
}
Regards,
Masashi Honma.
More information about the Hostap
mailing list