[PATCH 6/7] TDLS: remove peer from global peer-list on free
Arik Nemtsov
arik
Mon Jun 16 23:25:31 PDT 2014
On Mon, Jun 16, 2014 at 11:53 PM, Jouni Malinen <j at w1.fi> wrote:
> On Tue, Jun 10, 2014 at 09:19:09PM +0300, Ilan Peer wrote:
>> From: Arik Nemtsov <arik at wizery.com>
>>
>> Also fix a small bug where a peer was used after free.
>
> Hmm.. Could you please clarify where that bug is? I'd assume this was
> referring to the addition of the tmp pointer here:
>
>> void wpa_tdls_teardown_peers(struct wpa_sm *sm)
>> {
>> - struct wpa_tdls_peer *peer;
>> + struct wpa_tdls_peer *peer, *tmp;
>>
>> peer = sm->tdls;
>>
>> wpa_printf(MSG_DEBUG, "TDLS: Tear down peers");
>>
>> while (peer) {
>> + tmp = peer->next;
>> wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR,
>> MAC2STR(peer->addr));
>> if (sm->tdls_external_setup)
>> @@ -2634,7 +2660,7 @@ void wpa_tdls_teardown_peers(struct wpa_sm *sm)
>> else
>> wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
>>
>> - peer = peer->next;
>> + peer = tmp;
>> }
>
> But that would not be use after free before the other parts of this
> patch were applied (wpa_tdls_peer_free() does not currently free the
> peer data, it only clears number of items in it).
>
> Did I miss something else that would be using freed memory?
No you're correct. Before, it wasn't a use-after-free per-se, since
data wasn't freed.
My wording was not accurate. But I'd argue that it's nicer to use "tmp" anyway..
Arik
More information about the Hostap
mailing list