[PATCH] Fix a compiler warning on use-after-free

Krishna Chaitanya chaitanya.mgit at gmail.com
Mon Aug 7 12:13:31 PDT 2023 

On Mon, Aug 7, 2023 at 3:42 PM Chien Wong <m at xv97.com> wrote:
>
> From: Chien Wong <m at xv97.com>
> Date: Sun, 6 Aug 2023 23:17:47 +0800
> Subject: [PATCH] Fix a compiler warning on use-after-free
>
> Fix the warning given by GCC 13.2.1:
> bss.c: In function ‘wpa_bss_update’:
> bss.c:741:25: warning: pointer ‘bss’ may be used after ‘realloc’
> [-Wuse-after-free]
>    741 | wpa_bss_update_pending_connect(wpa_s, bss, nbss);
>
> The warning is a false positive. GCC cannot figure out that
> wpa_bss_update_pending_connect() does not access bss thus gives the warning.
> Indeed, no invalid access is occured here. Fixed by keeping pointer bss
> valid until freed. As a general rule, references should be cleared as
> soon as object is freed. All calls to os_realloc() were checked: they
> all follow the pattern that old reference is updated almost immediately
> after realloc.
>
> Signed-off-by: Chien Wong <m at xv97.com>
> ---
>   wpa_supplicant/bss.c | 7 +++++--
>   1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
> index 320441426..3eafd5764 100644
> --- a/wpa_supplicant/bss.c
> +++ b/wpa_supplicant/bss.c
> @@ -726,10 +726,12 @@ wpa_bss_update(struct wpa_supplicant *wpa_s,
> struct wpa_bss *bss,
>           struct wpa_bss *nbss;
>           struct dl_list *prev = bss->list_id.prev;
>           dl_list_del(&bss->list_id);
> -        nbss = os_realloc(bss, sizeof(*bss) + res->ie_len +
> -                  res->beacon_ie_len);
> +        nbss = os_malloc(sizeof(*bss) + res->ie_len +
> +                 res->beacon_ie_len);
>           if (nbss) {
>               unsigned int i;
> +            os_memcpy(nbss, bss, sizeof(*bss) + bss->ie_len +
> +                  bss->beacon_ie_len);
>               for (i = 0; i < wpa_s->last_scan_res_used; i++) {
>                   if (wpa_s->last_scan_res[i] == bss) {
>                       wpa_s->last_scan_res[i] = nbss;
> @@ -739,6 +741,7 @@ wpa_bss_update(struct wpa_supplicant *wpa_s, struct
> wpa_bss *bss,
>               if (wpa_s->current_bss == bss)
>                   wpa_s->current_bss = nbss;
>               wpa_bss_update_pending_connect(wpa_s, bss, nbss);
> +            os_free(bss);
>               bss = nbss;
>               os_memcpy(bss->ies, res + 1,
>                     res->ie_len + res->beacon_ie_len);
FYI, I had submitted a patch
https://patchwork.ozlabs.org/project/hostap/patch/20230420192821.376828-1-krishna.t@nordicsemi.no/
for this, but fix is different.

More information about the Hostap mailing list