[PATCH 2/7] TDLS: bail on STA add failure in tpk_m1 processing

Jouni Malinen j
Mon Jun 16 16:00:26 PDT 2014

On Tue, Jun 10, 2014 at 09:19:05PM +0300, Ilan Peer wrote:
> From: Arik Nemtsov <arik at wizery.com>
> The driver might not be able to add the TDLS STA. Fail if this happens.
> Also fix the error path to always reset the TDLS peer data.

> diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
> index c08d2f9..e712a4d 100644
> --- a/src/rsn_supp/tdls.c
> +++ b/src/rsn_supp/tdls.c
> @@ -1919,6 +1920,7 @@ skip_rsn_check:
>  error:
>  	wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken,
>  			    status);
> +	wpa_tdls_peer_free(sm, peer);
>  	return -1;

I should have noticed that before pushing the commits, but well, didn't.
Thankfully static analyzers are more alert at this hour, so this got
fixed quickly.. That's a NULL pointer dereference on peer if the first
goto error case is hit (unlikely, but possible).
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list