[PATCH]Double free on WPS error case

[Jouni Malinen]

On Fri, Jan 30, 2009 at 06:42:59PM +0900, Masashi Honma wrote:

> On "wpas_wps_init function" error case, "wps" area will be freed. But "wpas_wps_deinit" will free the identical area too on the trailing process.

How would wpas_wps_deinit() know what to free in the error case? The wps
pointer is lost when returning from wpas_wps_init() on all error paths.
I do not see a code path that would result in freeing the struct
wps_context data twice.

-- 
Jouni Malinen                                            PGP id EFC895FA