[PATCH] BSS: Fix use-after-realloc

Eliad Peller eliad
Mon Mar 5 02:30:15 PST 2012

After reallocation of the bss struct, current_bss
wasn't updated and could hold an invalid pointer
(which might get dereferenced later).

Update current_bss if the pointer was changed.

Signed-hostap: Eliad Peller <eliad at wizery.com>
intended-for: hostap-1
realloc is pretty dangerous if a reference could be
saved somewhere. i suspect there might be similar issues
in the codebase, but i haven't looked at it throughtly.

 wpa_supplicant/bss.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
index 2a5bb85..c0b4331 100644
--- a/wpa_supplicant/bss.c
+++ b/wpa_supplicant/bss.c
@@ -333,6 +333,8 @@ static void wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
 				  res->ie_len + res->beacon_ie_len);
 			bss->ie_len = res->ie_len;
 			bss->beacon_ie_len = res->beacon_ie_len;
+			if (wpa_s->current_bss == bss)
+				wpa_s->current_bss = nbss;
 		dl_list_add(prev, &bss->list_id);

More information about the Hostap mailing list