[PATCH] hostapd: hostapd_cleanup_iface_partial: fix hw_features use after free
Jouni Malinen
j at w1.fi
Sun Dec 22 14:46:22 PST 2024
On Wed, Dec 18, 2024 at 07:50:18AM +0000, Petr Štetiar wrote:
> Currently when the iface is being cleaned up, the
> hostapd_free_hw_features() is called which frees the underlying
> hw_features and the struct is being NULLed, but the num_hw_features
> counter is not being reset, thus following commonly used access
> constructs:
>
> for (i = 0; i < iface->num_hw_features; i++)
> acs_cleanup_mode(&iface->hw_features[i]);
>
> This might then lead to use after free and hostapd for example might
> crash during configuration reload on disabled interfaces:
>
> $ hostapd -ddt /tmp/wlan2_hapd.conf &
> $ hostapd_cli -i wlan2 raw DISABLE
>
> Fri Oct 4 20:44:04 2024 1728074644.706408: wlan2: AP-DISABLED
>
> $ kill -SIGHUP $(pidof hostapd)
> Segmentation fault (core dumped) hostapd -ddt /tmp/wlan2_hapd.conf
>
> So lets fix it by resetting the num_hw_features counter to 0, so the
> code will not try to access the freed memory in hw_features struct.
Thanks, applied.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list