[PATCH] BSS: Fix use-after-realloc
Mon Mar 5 02:30:15 PST 2012
After reallocation of the bss struct, current_bss
wasn't updated and could hold an invalid pointer
(which might get dereferenced later).
Update current_bss if the pointer was changed.
Signed-hostap: Eliad Peller <eliad at wizery.com>
realloc is pretty dangerous if a reference could be
saved somewhere. i suspect there might be similar issues
in the codebase, but i haven't looked at it throughtly.
wpa_supplicant/bss.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
index 2a5bb85..c0b4331 100644
@@ -333,6 +333,8 @@ static void wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
res->ie_len + res->beacon_ie_len);
bss->ie_len = res->ie_len;
bss->beacon_ie_len = res->beacon_ie_len;
+ if (wpa_s->current_bss == bss)
+ wpa_s->current_bss = nbss;
More information about the Hostap