[PATCH 0/2] RFC - support P2P group removal on ctrl_iface

[Toby Gray]

Hello,

I've noticed that it's possible to get wpa_supplicant to access
already free'd memory by doing the following:

* Form a P2P connection

* Connect to wpa_supplicant on the ctrl_iface for the P2P interface
  (e.g. p2p-wlan0-1).

* Send wpa_supplicant a "P2P_REMOVE_GROUP *" command

As wpa_supplicant removes the group when processing the command it
then attempts to use the deleted struct wpa_supplicant when logging
the error in sending the response.

The first patch adds a test case for this. The test case does trigger
a SEGV in logs/current/log5 (or valgrind warnings) but this doesn't
seem to cause a test failure. Is that expected behaviour for the
wpa_supplicant tests?

The second patch isn't really a serious suggestion for a fix to the
issue, but just a quick hack to confirm that the problem was really as
I thought.

Any suggestions on a fix which isn't a nasty hack are welcomed (and
I'm happy to create a suitable patch, I just need a suggestion for the
direction to take).

Regards,

Toby



Toby Gray (2):
  tests: Add tests for removing a P2P group via the group control
    interface
  Use parent interface if available when logging ctrl_iface send
    failures.

 tests/hwsim/test_p2p_device.py   | 17 +++++++++++++++++
 wpa_supplicant/ctrl_iface_unix.c |  7 ++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)

-- 
1.8.3.4