[PATCH 6/7] TDLS: remove peer from global peer-list on free

Jouni Malinen j
Tue Jun 17 07:21:37 PDT 2014


On Tue, Jun 17, 2014 at 09:25:31AM +0300, Arik Nemtsov wrote:
> No you're correct. Before, it wasn't a use-after-free per-se, since
> data wasn't freed.

OK, thanks.

> My wording was not accurate. But I'd argue that it's nicer to use "tmp" anyway..

Sure, that's fine. However, this patch introduces number of cases were
freed memory is accessed. Have you tried running this against the hwsim
test cases? I would strongly recommend doing so for new contributions
especially when changing allocation style. As an example, wpa_supplicant
for wlan1 would crash in ap_wpa2_tdls_concurrent_init. More generally,
any path where wpa_tdls_disable_peer_link(sm, peer) is followed by
anything dereferencing the peer point will break. There are multiple
such cases in tdls.c.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list