[PATCH] hostapd: hostapd_cleanup_iface_partial: fix hw_features use after free

[Petr Štetiar]

From: Petr Štetiar <petr.stetiar at prplfoundation.org>

Currently when the iface is being cleaned up, the
hostapd_free_hw_features() is called which frees the underlying
hw_features and the struct is being NULLed, but the num_hw_features
counter is not being reset, thus following commonly used access
constructs:

   for (i = 0; i < iface->num_hw_features; i++)
            acs_cleanup_mode(&iface->hw_features[i]);

This might then lead to use after free and hostapd for example might
crash during configuration reload on disabled interfaces:

  $ hostapd -ddt /tmp/wlan2_hapd.conf &
  $ hostapd_cli -i wlan2 raw DISABLE

  Fri Oct  4 20:44:04 2024 1728074644.706408: wlan2: AP-DISABLED

  $ kill -SIGHUP $(pidof hostapd)
  Segmentation fault (core dumped) hostapd -ddt /tmp/wlan2_hapd.conf

So lets fix it by resetting the num_hw_features counter to 0, so the
code will not try to access the freed memory in hw_features struct.

Reported-by: Mohammed SI ALI <mohammed.siali at softathome.com>
Tested-by: Houssem Dafdouf <houssem.dafdouf_ext at softathome.com>
Signed-off-by: Petr Štetiar <ynezz at true.cz>
Signed-off-by: Petr Štetiar <petr.stetiar at prplfoundation.org>
---
 src/ap/hostapd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 9dfc21e00f3e..f3945f868f5e 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -710,6 +710,7 @@ void hostapd_cleanup_iface_partial(struct hostapd_iface *iface)
 		acs_cleanup(iface);
 	hostapd_free_hw_features(iface->hw_features, iface->num_hw_features);
 	iface->hw_features = NULL;
+	iface->num_hw_features = 0;
 	iface->current_mode = NULL;
 	os_free(iface->current_rates);
 	iface->current_rates = NULL;