[PATCH 6/7] TDLS: remove peer from global peer-list on free
Arik Nemtsov
arik
Tue Jun 17 07:50:44 PDT 2014
On Tue, Jun 17, 2014 at 5:21 PM, Jouni Malinen <j at w1.fi> wrote:
> On Tue, Jun 17, 2014 at 09:25:31AM +0300, Arik Nemtsov wrote:
>> No you're correct. Before, it wasn't a use-after-free per-se, since
>> data wasn't freed.
>
> OK, thanks.
>
>> My wording was not accurate. But I'd argue that it's nicer to use "tmp" anyway..
>
> Sure, that's fine. However, this patch introduces number of cases were
> freed memory is accessed. Have you tried running this against the hwsim
> test cases? I would strongly recommend doing so for new contributions
> especially when changing allocation style. As an example, wpa_supplicant
> for wlan1 would crash in ap_wpa2_tdls_concurrent_init. More generally,
> any path where wpa_tdls_disable_peer_link(sm, peer) is followed by
> anything dereferencing the peer point will break. There are multiple
> such cases in tdls.c.
You're right. I actually have an internal patch for that, but we'll do
some more testing to make sure we didn't miss any of the cases.
Arik
More information about the Hostap
mailing list