[PATCH 6/7] TDLS: remove peer from global peer-list on free

Jouni Malinen j
Mon Jun 16 13:53:28 PDT 2014


On Tue, Jun 10, 2014 at 09:19:09PM +0300, Ilan Peer wrote:
> From: Arik Nemtsov <arik at wizery.com>
> 
> Also fix a small bug where a peer was used after free.

Hmm.. Could you please clarify where that bug is? I'd assume this was
referring to the addition of the tmp pointer here:

>  void wpa_tdls_teardown_peers(struct wpa_sm *sm)
>  {
> -	struct wpa_tdls_peer *peer;
> +	struct wpa_tdls_peer *peer, *tmp;
>  
>  	peer = sm->tdls;
>  
>  	wpa_printf(MSG_DEBUG, "TDLS: Tear down peers");
>  
>  	while (peer) {
> +		tmp = peer->next;
>  		wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR,
>  			   MAC2STR(peer->addr));
>  		if (sm->tdls_external_setup)
> @@ -2634,7 +2660,7 @@ void wpa_tdls_teardown_peers(struct wpa_sm *sm)
>  		else
>  			wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
>  
> -		peer = peer->next;
> +		peer = tmp;
>  	}

But that would not be use after free before the other parts of this
patch were applied (wpa_tdls_peer_free() does not currently free the
peer data, it only clears number of items in it).

Did I miss something else that would be using freed memory?

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list