[PATCH 6/7] TDLS: remove peer from global peer-list on free
Jouni Malinen
j
Mon Jun 16 13:53:28 PDT 2014
On Tue, Jun 10, 2014 at 09:19:09PM +0300, Ilan Peer wrote:
> From: Arik Nemtsov <arik at wizery.com>
>
> Also fix a small bug where a peer was used after free.
Hmm.. Could you please clarify where that bug is? I'd assume this was
referring to the addition of the tmp pointer here:
> void wpa_tdls_teardown_peers(struct wpa_sm *sm)
> {
> - struct wpa_tdls_peer *peer;
> + struct wpa_tdls_peer *peer, *tmp;
>
> peer = sm->tdls;
>
> wpa_printf(MSG_DEBUG, "TDLS: Tear down peers");
>
> while (peer) {
> + tmp = peer->next;
> wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR,
> MAC2STR(peer->addr));
> if (sm->tdls_external_setup)
> @@ -2634,7 +2660,7 @@ void wpa_tdls_teardown_peers(struct wpa_sm *sm)
> else
> wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
>
> - peer = peer->next;
> + peer = tmp;
> }
But that would not be use after free before the other parts of this
patch were applied (wpa_tdls_peer_free() does not currently free the
peer data, it only clears number of items in it).
Did I miss something else that would be using freed memory?
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list