[PATCH 6/7] TDLS: remove peer from global peer-list on free

Arik Nemtsov arik
Mon Jun 16 23:25:31 PDT 2014


On Mon, Jun 16, 2014 at 11:53 PM, Jouni Malinen <j at w1.fi> wrote:
> On Tue, Jun 10, 2014 at 09:19:09PM +0300, Ilan Peer wrote:
>> From: Arik Nemtsov <arik at wizery.com>
>>
>> Also fix a small bug where a peer was used after free.
>
> Hmm.. Could you please clarify where that bug is? I'd assume this was
> referring to the addition of the tmp pointer here:
>
>>  void wpa_tdls_teardown_peers(struct wpa_sm *sm)
>>  {
>> -     struct wpa_tdls_peer *peer;
>> +     struct wpa_tdls_peer *peer, *tmp;
>>
>>       peer = sm->tdls;
>>
>>       wpa_printf(MSG_DEBUG, "TDLS: Tear down peers");
>>
>>       while (peer) {
>> +             tmp = peer->next;
>>               wpa_printf(MSG_DEBUG, "TDLS: Tear down peer " MACSTR,
>>                          MAC2STR(peer->addr));
>>               if (sm->tdls_external_setup)
>> @@ -2634,7 +2660,7 @@ void wpa_tdls_teardown_peers(struct wpa_sm *sm)
>>               else
>>                       wpa_sm_tdls_oper(sm, TDLS_TEARDOWN, peer->addr);
>>
>> -             peer = peer->next;
>> +             peer = tmp;
>>       }
>
> But that would not be use after free before the other parts of this
> patch were applied (wpa_tdls_peer_free() does not currently free the
> peer data, it only clears number of items in it).
>
> Did I miss something else that would be using freed memory?

No you're correct. Before, it wasn't a use-after-free per-se, since
data wasn't freed.
My wording was not accurate. But I'd argue that it's nicer to use "tmp" anyway..

Arik



More information about the Hostap mailing list