[PATCH 2/7] TDLS: bail on STA add failure in tpk_m1 processing

Arik Nemtsov arik
Mon Jun 16 23:28:59 PDT 2014

On Tue, Jun 17, 2014 at 2:00 AM, Jouni Malinen <j at w1.fi> wrote:
> On Tue, Jun 10, 2014 at 09:19:05PM +0300, Ilan Peer wrote:
>> From: Arik Nemtsov <arik at wizery.com>
>> The driver might not be able to add the TDLS STA. Fail if this happens.
>> Also fix the error path to always reset the TDLS peer data.
>> diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
>> index c08d2f9..e712a4d 100644
>> --- a/src/rsn_supp/tdls.c
>> +++ b/src/rsn_supp/tdls.c
>> @@ -1919,6 +1920,7 @@ skip_rsn_check:
>>  error:
>>       wpa_tdls_send_error(sm, src_addr, WLAN_TDLS_SETUP_RESPONSE, dtoken,
>>                           status);
>> +     wpa_tdls_peer_free(sm, peer);
>>       return -1;
> I should have noticed that before pushing the commits, but well, didn't.
> Thankfully static analyzers are more alert at this hour, so this got
> fixed quickly.. That's a NULL pointer dereference on peer if the first
> goto error case is hit (unlikely, but possible).

Right. Thanks.

Looking at the patch again made me realized I forgot to handle the
wpa_sm_tdls_peer_addset call where we initiate the connection. I'll
fix it.
I also have some more patches in the pipe for QoS/HT TDLS with mac80211.


More information about the Hostap mailing list