[openwrt/openwrt] hostapd: fix a use-after-free bug when interfaces are removed during a scan

LEDE Commits lede-commits at lists.infradead.org
Tue Oct 21 01:24:44 PDT 2025 

nbd pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/d924a0cff8e2f5f0f01217352ac711de768b1eaf

commit d924a0cff8e2f5f0f01217352ac711de768b1eaf
Author: Felix Fietkau <nbd at nbd.name>
AuthorDate: Tue Oct 21 08:23:30 2025 +0000

    hostapd: fix a use-after-free bug when interfaces are removed during a scan
    
    Whenever the first bss is removed, any pending scan still keeps a reference
    to it. Cancel it in order to prevent use-after-free bugs.
    
    Reported-by: Chad Monroe <chad.monroe at adtran.com>
    Signed-off-by: Felix Fietkau <nbd at nbd.name>
---
 ...cel-scans-whenever-the-first-bss-is-remov.patch | 22 ++++++++++++++++++++++
 .../patches/463-add-mcast_rate-to-11s.patch        |  4 ++--
 .../hostapd/patches/601-ucode_support.patch        |  6 +++---
 .../services/hostapd/patches/740-snoop_iface.patch |  4 ++--
 4 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/package/network/services/hostapd/patches/192-nl80211-cancel-scans-whenever-the-first-bss-is-remov.patch b/package/network/services/hostapd/patches/192-nl80211-cancel-scans-whenever-the-first-bss-is-remov.patch
new file mode 100644
index 0000000000..24ddf5bcc0
--- /dev/null
+++ b/package/network/services/hostapd/patches/192-nl80211-cancel-scans-whenever-the-first-bss-is-remov.patch
@@ -0,0 +1,22 @@
+From: Felix Fietkau <nbd at nbd.name>
+Date: Tue, 21 Oct 2025 10:19:41 +0200
+Subject: [PATCH] nl80211: cancel scans whenever the first bss is removed
+
+Whenever the first bss is removed, any pending scan still keeps a reference
+to it. Cancel it in order to prevent use-after-free bugs.
+
+Signed-off-by: Felix Fietkau <nbd at nbd.name>
+---
+
+--- a/src/drivers/driver_nl80211.c
++++ b/src/drivers/driver_nl80211.c
+@@ -9261,6 +9261,9 @@ static int wpa_driver_nl80211_if_remove(
+ 			wpa_printf(MSG_INFO, "nl80211: %s - could not find "
+ 				   "BSS %p in the list", __func__, bss);
+ 	} else {
++		if (eloop_cancel_timeout(wpa_driver_nl80211_scan_timeout, drv, bss->ctx))
++			wpa_driver_nl80211_scan_timeout(drv, bss->ctx);
++
+ 		wpa_printf(MSG_DEBUG, "nl80211: First BSS - reassign context");
+ 		nl80211_teardown_ap(bss);
+ 		nl80211_remove_links(bss);
diff --git a/package/network/services/hostapd/patches/463-add-mcast_rate-to-11s.patch b/package/network/services/hostapd/patches/463-add-mcast_rate-to-11s.patch
index 1f77818a94..4dc107feba 100644
--- a/package/network/services/hostapd/patches/463-add-mcast_rate-to-11s.patch
+++ b/package/network/services/hostapd/patches/463-add-mcast_rate-to-11s.patch
@@ -29,7 +29,7 @@ Tested-by: Simon Wunderlich <simon.wunderlich at openmesh.com>
  struct wpa_driver_set_key_params {
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
-@@ -12373,6 +12373,18 @@ static int nl80211_put_mesh_id(struct nl
+@@ -12376,6 +12376,18 @@ static int nl80211_put_mesh_id(struct nl
  }
  
  
@@ -48,7 +48,7 @@ Tested-by: Simon Wunderlich <simon.wunderlich at openmesh.com>
  static int nl80211_put_mesh_config(struct nl_msg *msg,
  				   struct wpa_driver_mesh_bss_params *params)
  {
-@@ -12434,6 +12446,7 @@ static int nl80211_join_mesh(struct i802
+@@ -12437,6 +12449,7 @@ static int nl80211_join_mesh(struct i802
  	    nl80211_put_basic_rates(msg, params->basic_rates) ||
  	    nl80211_put_mesh_id(msg, params->meshid, params->meshid_len) ||
  	    nl80211_put_beacon_int(msg, params->beacon_int) ||
diff --git a/package/network/services/hostapd/patches/601-ucode_support.patch b/package/network/services/hostapd/patches/601-ucode_support.patch
index dedea272a9..7bbf781275 100644
--- a/package/network/services/hostapd/patches/601-ucode_support.patch
+++ b/package/network/services/hostapd/patches/601-ucode_support.patch
@@ -484,7 +484,7 @@ as adding/removing interfaces.
  	}
  
  	if (drv->capa.flags2 & WPA_DRIVER_FLAGS2_CONTROL_PORT_RX) {
-@@ -9307,6 +9325,50 @@ static int wpa_driver_nl80211_if_remove(
+@@ -9310,6 +9328,50 @@ static int wpa_driver_nl80211_if_remove(
  	return 0;
  }
  
@@ -535,7 +535,7 @@ as adding/removing interfaces.
  
  static int cookie_handler(struct nl_msg *msg, void *arg)
  {
-@@ -11192,6 +11254,37 @@ static bool nl80211_is_drv_shared(void *
+@@ -11195,6 +11257,37 @@ static bool nl80211_is_drv_shared(void *
  #endif /* CONFIG_IEEE80211BE */
  
  
@@ -573,7 +573,7 @@ as adding/removing interfaces.
  static int driver_nl80211_send_mlme(void *priv, const u8 *data,
  				    size_t data_len, int noack,
  				    unsigned int freq,
-@@ -15011,6 +15104,8 @@ const struct wpa_driver_ops wpa_driver_n
+@@ -15014,6 +15107,8 @@ const struct wpa_driver_ops wpa_driver_n
  	.set_acl = wpa_driver_nl80211_set_acl,
  	.if_add = wpa_driver_nl80211_if_add,
  	.if_remove = driver_nl80211_if_remove,
diff --git a/package/network/services/hostapd/patches/740-snoop_iface.patch b/package/network/services/hostapd/patches/740-snoop_iface.patch
index f40356ad23..ec907ea838 100644
--- a/package/network/services/hostapd/patches/740-snoop_iface.patch
+++ b/package/network/services/hostapd/patches/740-snoop_iface.patch
@@ -123,7 +123,7 @@ untagged DHCP packets
  	 * get_wowlan - Get wake-on-wireless status
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
-@@ -12893,7 +12893,7 @@ static const char * drv_br_net_param_str
+@@ -12896,7 +12896,7 @@ static const char * drv_br_net_param_str
  
  
  static int wpa_driver_br_set_net_param(void *priv, enum drv_br_net_param param,
@@ -132,7 +132,7 @@ untagged DHCP packets
  {
  	struct i802_bss *bss = priv;
  	char path[128];
-@@ -12919,8 +12919,11 @@ static int wpa_driver_br_set_net_param(v
+@@ -12922,8 +12922,11 @@ static int wpa_driver_br_set_net_param(v
  			return -EINVAL;
  	}

More information about the lede-commits mailing list