[PATCH] Fix a compiler warning on use-after-free

Mon Aug 7 03:06:56 PDT 2023

From: Chien Wong <m at xv97.com>
Date: Sun, 6 Aug 2023 23:17:47 +0800
Subject: [PATCH] Fix a compiler warning on use-after-free

Fix the warning given by GCC 13.2.1:
bss.c: In function ‘wpa_bss_update’:
bss.c:741:25: warning: pointer ‘bss’ may be used after ‘realloc’ 
[-Wuse-after-free]
   741 | wpa_bss_update_pending_connect(wpa_s, bss, nbss);

The warning is a false positive. GCC cannot figure out that
wpa_bss_update_pending_connect() does not access bss thus gives the warning.
Indeed, no invalid access is occured here. Fixed by keeping pointer bss
valid until freed. As a general rule, references should be cleared as
soon as object is freed. All calls to os_realloc() were checked: they
all follow the pattern that old reference is updated almost immediately
after realloc.

Signed-off-by: Chien Wong <m at xv97.com>
---
  wpa_supplicant/bss.c | 7 +++++--
  1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
index 320441426..3eafd5764 100644
--- a/wpa_supplicant/bss.c
+++ b/wpa_supplicant/bss.c
@@ -726,10 +726,12 @@ wpa_bss_update(struct wpa_supplicant *wpa_s, 
struct wpa_bss *bss,
          struct wpa_bss *nbss;
          struct dl_list *prev = bss->list_id.prev;
          dl_list_del(&bss->list_id);
-        nbss = os_realloc(bss, sizeof(*bss) + res->ie_len +
-                  res->beacon_ie_len);
+        nbss = os_malloc(sizeof(*bss) + res->ie_len +
+                 res->beacon_ie_len);
          if (nbss) {
              unsigned int i;
+            os_memcpy(nbss, bss, sizeof(*bss) + bss->ie_len +
+                  bss->beacon_ie_len);
              for (i = 0; i < wpa_s->last_scan_res_used; i++) {
                  if (wpa_s->last_scan_res[i] == bss) {
                      wpa_s->last_scan_res[i] = nbss;
@@ -739,6 +741,7 @@ wpa_bss_update(struct wpa_supplicant *wpa_s, struct 
wpa_bss *bss,
              if (wpa_s->current_bss == bss)
                  wpa_s->current_bss = nbss;
              wpa_bss_update_pending_connect(wpa_s, bss, nbss);
+            os_free(bss);
              bss = nbss;
              os_memcpy(bss->ies, res + 1,
                    res->ie_len + res->beacon_ie_len);
-- 
2.41.0


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20230807/71a5ec0e/attachment.sig>
